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ABSTRACT 


The  June  2013  diselosure  that  the  National  Security  Agency  collects  information  on  U.S. 
citizens  revived  the  debate  over  the  proper  balance  between  national  security  and  civil 
liberties.  Central  to  the  conversation  is  the  concept  of  privacy.  If  the  government  is  going 
to  collect  intelligence  on  individuals  in  order  to  defeat  terrorism,  then  it  must  penetrate 
the  veil  of  privacy. 

The  outcome  of  the  security  versus  privacy  debate  relies  on  three  main  factors:  1) 
the  nature  of  the  threat;  2)  the  effectiveness  of  intelligence  methods  taken  by  the 
government  to  counter  that  threat;  and  3)  the  effect  those  intelligence  efforts  have  on 
Americans’  privacy.  Although  imprecise  and  controversial,  methods  for  measuring  the 
threat  and  the  effectiveness  of  intelligence  efforts  against  that  threat  exist  in  various 
forms.  It  does  not  appear,  however,  that  the  impact  of  surveillance  on  privacy  is 
measured  in  any  useful  way.  This  thesis  addresses  the  problem  of  measuring  privacy 
costs  by  examining  the  following  questions:  What  elements  of  government  surveillance 
programs  and  privacy  expectations  must  be  taken  into  account?  What  level  of  domestic 
surveillance  is  acceptable  to  the  American  public?  And  finally,  how  can  we  measure  the 
cost  of  privacy  to  better  inform  the  security  versus  liberty  debate? 
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I.  SECURITY  VERSUS  LIBERTY 


A.  MAJOR  RESEARCH  QUESTION 

The  June  2013  diselosure  that  the  National  Security  Agency  (NSA)  collects 
information  on  U.S.  citizens  revived  the  debate  over  the  proper  balance  between  national 
security  and  civil  liberties.  The  current  iteration  of  the  dispute  focuses  on  the  use  of 
domestic  surveillance  tools  to  support  the  state’s  interest  in  protecting  against  terrorism 
versus  society’s  interest  in  civil  liberties.  Central  to  the  conversation  is  the  concept  of 
privacy  because  it  is  “the  one  aspect  of  liberty  that  inhibits  the  government’s  acquisition 
of  information.”!  Thus,  if  the  government  is  going  to  collect  intelligence  on  individuals 
in  order  to  defeat  terrorism,  then  it  must  penetrate  the  veil  of  privacy. 

The  outcome  of  the  security-versus-privacy  debate  relies  on  three  main  factors:  1) 
the  nature  of  the  threat;  2)  the  effectiveness  of  intelligence  methods  taken  by  the 
government  to  counter  that  threat;  and  3)  the  effect  those  intelligence  efforts  have  on 
Americans’  privacy.  If  the  purpose  of  the  debate  is  to  reconcile  the  tensions  between 
competing  security  and  liberty  interests,  the  fundamental  question  is  how  do  we  measure 
each  component  in  order  to  balance  the  scale?  What  values  are  we  to  give  to  threat, 
intelligence,  and  privacy  in  order  to  correctly  convert  the  gain  on  one  side  with  a 
proportionate,  acceptable  loss  on  the  other?  Although  imprecise  and  controversial, 
methods  for  measuring  the  threat  and  the  effectiveness  of  intelligence  efforts  against  that 
threat  exist  in  various  forms.  It  does  not  appear,  however,  that  the  impact  of  surveillance 
on  privacy  is  measured  in  any  useful  way. 

This  thesis  addresses  the  problem  of  measuring  privacy  costs  by  examining  the 
following  questions:  What  elements  of  government  surveillance  programs  and  privacy 
expectations  must  be  taken  into  account?  What  level  of  domestic  surveillance  is 
acceptable  to  the  American  public?  And  finally,  how  can  we  measure  the  cost  of  privacy 
to  better  inform  the  security  versus  liberty  debate? 

!  Richard  Betts,  Enemies  of  Intelligence:  Knowledge  is  Power  in  American  National  Security  (New 
York:  Columbia  University  Press,  2007):  163,  quoted  in  Gregory  F.  Treverton,  Intelligence  for  an  Age  of 
Terror  (Cambridge:  Cambridge  University,  2009),  242. 
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B,  LITERATURE  REVIEW 

Discussions  about  the  tensions  between  security  and  liberty  usually  come  down  to 
three  core  arguments.  The  primacy  of  security  position  argues  that  the  threat  is  high,  and 
thus  security  trumps  concerns  over  civil  liberties.  Conversely,  the  defense  of  liberty 
argument  tends  to  undervalue  the  threat  while  making  civil  liberties  absolute  and  non- 
saerifieial.  Between  these  two  poles  rests  a  more  practieal  but  flawed  approach,  referred 
to  here  as  the  balaneing  act,  which  argues  for  a  balance  between  the  competing  seeurity 
and  liberty  interests. 

Central  to  the  primaey  of  security  position  is  the  argument  that  without  security, 
there  is  no  freedom.  Therefore,  individual  rights  are  submissive  to  overall  security 
concerns.  2  Proponents  argue  that  the  historical  record  favors  this  side  of  the  debate.  They 
are  quick  to  point  out  that  during  the  Civil  War,  World  War  I,  World  War  II,  and  the 
Cold  War,  up  until  the  post-Vietnam  era,  the  state  routinely  infringed  on  civil  liberties  in 
order  to  protect  the  country  from  threats. ^  Because  security  is  a  prerequisite  for  freedom, 
the  logic  continues,  the  state  is  free  to  do  anything  neeessary.^  In  the  extreme  form, 
Riehard  Posner  goes  so  far  as  to  argue  the  government  has  the  moral  duty  “to  violate 
legal,  including  constitutional,  rights  when  necessary  to  avoid  catastrophic  harm  to  the 
nation.”^  This  position  also  holds  that  the  Constitution  does  not  speeifically  provide  a 
right  to  privacy  anyway,  and,  even  if  it  did,  the  status  of  eivil  liberties  return  once  the 
threat  is  defeated.^  A  fundamental  challenge  to  the  primacy  of  security  position  is  that 


2  Alan  F.  Westin,  “How  the  Public  Sees  the  Security-versus-Liberty  Debate,”  in  Protecting  What 
Matters:  Technology,  Security,  and  Liberty  since  9/11,  ed.  Clayton  Northouse  (Washington,  DC: 
Brookings,  2005),  19;  Richard  A.  Posner,  Not  a  Suicide  Pact:  The  Constitution  in  a  Time  of  National 
Emergency  (New  York:  Oxford  University,  2006),  4;  Daniel  J.  Solove,  Nothing  to  Hide:  The  False 
Tradeoff  between  Privacy  and  Security  (New  Haven:  Yale  University,  2011),  209. 

3  Jerel  A.  Rosati,  “At  Odds  with  One  Another:  The  Tension  between  Civil  Liberties  and  National 
Security  in  Twentieth-Century  America,”  in  American  National  Security  and  Civil  Liberties  in  an  Era  of 
Terrorism,  ed.  David.  B.  Cohen  and  John  W.  Wells  (New  York:  Palgrave  Macmillan,  2004),  11-12; 
Solove,  Nothing  to  Hide,  55-56,  59. 

^  Julian  Richards,  “Intelligence  Dilemma?  Contemporary  Counter-terrorism  in  a  Liberal  Democracy,” 
Intelligence  and  National  Security  27,  no.  5  (2012):  764. 

^  Posner,  Not  a  Suicide  Pact,  14. 

^  Ibid.,  127;  Solove,  Nothing  to  Hide,  60-61. 
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security  is  more  than  physical  threats;  defending  democracy  also  “requires  the  defense  of 
democracy’s  ideals. 

The  defense  of  liberty  school  directly  challenges  the  logic  of  the  security  first 
position  through  five  main  counterarguments.  First,  the  historical  record  demonstrates 
contractions  of  liberties  during  war  in  what  is  otherwise  an  expansion  of  civil  liberties 
over  time.^  Second,  justifications  are  usually  based  on  a  preoccupation  with  internal 
threats  during  war,  with  questionable  validity  and  only  the  hope,  not  assurance,  that 
liberties  will  return  after  the  threat  ceases. ^  Third,  there  is  no  correlation  between 
decreasing  liberty  and  increased  security,  lo  Authors  such  as  Bruce  Schneier  argue,  “bad 
security  can  be  worse  than  no  security”  because  of  its  negative  effects  on  liberties  without 
any  positive  gain  for  security.  ^  Fourth,  if  the  Constitution  is  not  a  suicide  pact,  “neither 
is  war  a  blank  check”  12 — meaning  there  must  be  limits  to  state  powers  even  in  the  face  of 
a  persistent,  deadly  threat.  Fifth,  even  with  multiple  attacks  on  the  scale  of  9/11,  terrorism 
is  not  an  existential  threat,  while  eroding  liberties  is.i3  Therefore,  efforts  that  weaken  the 
Constitution  are  a  bigger  threat  to  the  state  than  terrorism,  The  basic  conclusion  of  this 
school  is  that  the  defense  of  liberty  supersedes  all  other  considerations;  subjecting  rights 
to  security  interests  makes  the  cure  for  terrorism  worse  than  the  infirmity. 

At  the  core  of  the  defense  of  liberty  school  of  thought  is  the  simple  but  profound 
premise  that  civil  liberties  are  absolute,  unalienable  rights  that  cannot  be  broken  no 
matter  what  the  threat  is.^^  Derived  from  this  underlying  position  is  the  conclusion  that 

2  Brian  Jenkins,  Unconquerable  Nation:  Knowing  Our  Enemy,  Strengthening  Ourselves  (Santa 
Monica,  CA:  RAND,  2006):  176,  quoted  in  Treverton,  Intelligence  for  Age  of  Terror,  261. 

^  Rosati,  “At  Odds  with  One  Another,”  11,  23-24. 

^  Ibid.;  Solove,  Nothing  to  Hide,  60-61. 

Solove,  Nothing  to  Hide,  34. 

1 1  Bruce  Schneier,  Beyond  Fear:  Thinking  Sensibly  About  Security  in  an  Uncertain  World  (New  York: 
Copernicus,  2003),  10,14. 

12  Treverton,  Intelligence  for  Age  of  Terror,  253. 

13  Ibid.,  261. 

1^  Westin,  “How  Public  Sees  Security- versus-Liberty  Debate,”  19. 

13  David  B.  Cohen  and  John  W.  Wells,  American  National  Security  and  Civil  Liberties  in  an  Era  of 
Terrorism,  1. 
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intelligence  collection  that  infringes  on  liberty  is  unethical,  and  therefore  must  be  avoided 
even  if  it  is  effective  against  a  threat,  This,  however,  is  an  unsustainable  application  of 
security  concerns.  Just  as  national  security  means  very  little  if  it  destroys  liberty,  so,  too, 
is  liberty  meaningless  without  physical  security.  Failing  to  recognize  this  will  turn  “give 
me  liberty,  or  give  me  death”  into  a  near  certainty  of  having  both  liberty  and  death. 

The  balancing  act,  the  third  approach,  criticizes  the  first  two  for  discrediting  the 
debate  by  applying  extreme  arguments,  At  first  look,  it  appeared  as  if  the  false-choice 
argument  and  the  balanced  approach  were  two  separate  positions.  As  it  turns  out,  the 
complementary  nature  of  the  two  cannot  be  avoided;  the  false  choice  reflects  this 
school’s  underlying  views,  while  the  balancing  act  is  how  to  resolve  security  and  liberty 
interests.  The  core  elements  of  the  false-choice  position  are  that  both  liberty  and  security 
are  important,  the  two  do  not  necessarily  contradict  each  other,  and  the  state  can  and  must 
protect  both.  With  these  ground  rules  set,  the  challenge  becomes  how  to  balance 
security  and  liberty  interests  against  a  threat  that  brings  the  battle-space  to  the  domestic 

front.  20 


16  Richards,  “Intelligence  Dilemma?”  764. 

12  Patrick  Henry,  “A  Chronology  of  U.S.  Historical  Documents:  Give  Me  Liberty  or  Give  Me  Death,” 
University  of  Oklahoma,  accessed  September  16,  2013,  http://www.law.ou.edu/ushistorv/henrv.shtml. 

1^  Treverton,  Intelligence  for  Age  of  Terror,  252. 

19  National  Commission  on  Terrorist  Attacks  upon  the  United  States,  The  9/11  Commission  Report: 
Final  Report  of  the  National  Commission  on  Terrorist  Attacks  upon  the  United  States  (Washington,  DC: 
Government  Printing  Office,  2004),  395;  Bruce  Berkowitz,  “Policies  and  Procedures  for  Protecting 
Security  and  Liberty,”  in  Protecting  What  Matters:  Technology,  Security,  and  Liberty  since  9/11,  83; 
Gilman  Louie  and  Gayle  von  Eckartsberg,  “Security  and  Liberty:  How  Technology  Can  Bridge  the 
Divide,”  in  Protecting  What  Matters:  Technology,  Security,  and  Liberty  since  9/11,  63,72;  Solove,  Nothing 
to  Hide,  2,3  4-35,210;  Cohen  and  Wells,  American  National  Security  and  Civil  Liberties,  1;  Loch  K. 
Johnson  and  James  J.  Wirtz,  Intelligence  and  National  Security:  The  Secret  World  of  Spies,  ed.  Loch  K. 
Johnson  and  James  J.  Wirtz,  2nd  ed.  (New  York:  Oxford  University,  2008),  344-45. 

20  Berkowitz,  “Policies  and  Procedures  for  Protecting  Security  and  Liberty,”  74-75,  77. 


4 


The  balanced  approach  is  a  process  that  applies  a  tradeoff  or  weighted  comparison 
of  each  side’s  interests  that  produces  a  desirable  outcome. 21  Its  process  relies  on  the 
threat  and  effectiveness  of  an  intelligence  tool  to  measure  the  national  security  interests 
and  the  harm  to  privacy  to  determine  the  civil  liberty  costs.  That  there  is  a  relationship 
between  threat,  effectiveness,  and  privacy  is  widely  recognized.  The  concept  of  a 
desirable  balance,  however,  is  drastically  skewed  because  of  incomplete  mechanisms  for 
weighing  each  side,  which  creates  the  ambiguity  that  permits  biases  of  security 
overruling  liberty  or  vice  versa.  22  One  of  the  main  reasons  for  the  problems  in  the 
balanced  approach  is  the  lack  of  methods  for  measuring  privacy  costs. 

C.  IMPORTANCE 

Balancing  national  security  interests  and  civil  liberties  has  long  been  a  concern  in 
the  United  States.  ^3  The  notion  of  a  balance  or  tradeoff  between  the  two  sides,  however, 
is  inaccurate.  While  there  are  ways  to  measure  the  threat  level  as  well  as  the  effectiveness 
of  a  particular  intelligence  method,  there  is  a  noticeably  absent  value  for  the  privacy  costs 
against  which  those  are  to  be  weighed.  For  example,  one  could  attempt  to  measure  the 
terrorist  threat  by  arguing  that  statistically,  an  American  has  a  1  in  3.5  million  chance  of 
dying  in  a  terrorist  attack  every  year.  34  Experts  such  as  John  Mueller  contend  this 
measurement  indicates  that  terrorism  presents  less  of  a  threat  than  many  other  concerns  in 
society.  Alternatively,  an  argument  could  be  made  that  between  9/11  and  September 
2012,  there  was  an  average  of  one  terrorist  attack  disrupted  every  two  and  a  half  months 


31  Cohen  and  Wells,  American  National  Security  and  Civil  Liberties,  viii;  Clayton  Northouse, 
“Providing  Security  and  Protecting  Liberty,”  in  Protecting  What  Matters:  Technology,  Security,  and 
Liberty  since  9/11,  4,8-9;  Schneier,  Beyond  Fear,  3;  Richards,  “Intelligence  Dilemma?”  763-64;  Solove, 
Nothing  to  Hide,  207;  Treverton,  Intelligence  for  Age  of  Terror,  241;  Rosati,  “At  Odds  with  One  Another,” 
24-25;  Garrett  Hatch,  Privacy  and  Civil  Liberties  Oversight  Board:  New  Independent  Agency  Status,  CRS 
Report  RL34385  (Washington,  DC:  Library  of  Congress.  Congressional  Research  Service,  August  27, 
2012),  1,  6;  Berkowitz,  “Policies  and  Procedures  for  Protecting  Security  and  Liberty,”  83. 

33  Westin  claims  that  all  positions  are  about  either  security  or  liberty  first;  all  other  positions  are 
nuances  of  one  of  the  two;  Westin,  “How  Public  Sees  Security-versus-Liberty  Debate,”  19. 

33  Rosati,  “At  Odds  with  One  Another,”  1 1-12;  Susan  J.  Tabriz!,  “At  What  Price?  Security,  Civil 
Liberties,  and  Public  Opinion  in  the  Age  of  Terrorism,”  in  American  National  Security  and  Civil  Liberties 
in  an  Era  of  Terrorism,  185-86. 

34  John  Mueller  and  Mark  G.  Steward,  “Hardly  Existential:  Thinking  Rationally  About  Terrorism,” 
Foreign  Affairs,  April  2,  2010,  http://www.foreignaffairs.com/articles/66186/iohn-mueller-and-mark-g- 
ste  wart/hardl  v-existential . 
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within  the  United  States. ^5  This  supports  a  different  measurement — one  of  a  persistent 
and  serious  threat.  Determining  whieh  of  these  approaches  is  the  most  appropriate  is 
beyond  the  scope  of  this  thesis,  but  the  point  is  that  we  at  least  have  ways  of  measuring 
the  threat. 

Measuring  effectiveness  is  also  possible,  such  as  through  demonstrating  a 
correlation  or  causation  between  an  intelligence  tool  and  the  disruption  of  terrorist 
activities.  NSA  Director  General  Keith  Alexander  and  FBI  Deputy  Director  Sean  Joyce 
justified  the  necessity  of  the  NSA’s  domestic  surveillance  tools  by  applying  this  rationale 
during  their  testimony  to  the  Flouse  Permanent  Select  Committee  on  Intelligence 
(HPSCI).  Both  Alexander  and  Joyce  credited  the  surveillance  programs  with  preventing 
more  than  50  terrorist  events,  including  10  targeting  the  United  States  and  a  specific 
threat  against  the  New  York  Stock  Exchange.  ^6  Others,  however,  claim  the  NSA  tools 
hardly  contributed  anything  to  the  prevention  of  those  plots  and  to  no  more  than  7.5 
percent  of  all  disrupted  terrorist  activities  within  the  United  States  since  9/11.27 
Irrespective  of  the  value,  there  are  methods  by  which  we  can  measure  the  effectiveness  of 
various  domestic  surveillance  tools. 

On  the  other  side  of  the  scale,  however,  there  is  no  generally  accepted 
measurement  for  the  civil-liberty  costs  incurred  by  domestic  intelligence  programs.  This 
makes  it  impossible  to  determine  where  the  balance  between  security  and  liberty  lies  and 
whether  it  needs  adjusted.  The  political  response  to  the  2013  disclosures  of  domestic 
surveillance  programs  demonstrates  the  negative  effects  of  an  incomplete  balancing 


25  Jessica  Zuckerman,  “Fifty-Third  Terror  Plot  Foiled  Since  9/1 1 :  Bombing  Targets  U.S.  Financial 
Hub,”  Heritage  Foundation,  Issue  Brief  3758  (2012), 

http://www.heritage.org/research/reports/2012/lQ/terror-plot-foiled-in-new-vork-bombing-targets-us- 

financial-hub. 

26  Patricia  Zengerle  and  Tabassum  Zakaria,  “NSA  Head,  Lawmakers  Defend  Surveillance  Programs,” 
Reuters,  June,  18,  2013,  http ://www.reuters.com/article/20 13/06/1 8/us-usa-securitv- 
idUSBRE95H15O2Q130618;  Patricia  Zengerle,  “FBI  Official  Says  NSA  Programs  Helped  Foil  NYSE 
Bombing  Plot,”  Rewterj,  June  18,  2013,  http://www.reuters.com/article/2013/Q6/18/us-usa-securitv-nvse- 
idUSBRE95H0OT20130618. 

27  Peter  Bergen  et.  ah,  “Do  NSA’s  Bulk  Surveillance  Programs  Stop  Terrorists?”  New  America 
Foundation,  January  2014,  4-5, 

http://www.newamerica.net/sites/newamerica.net/files/policvdocs/Bergen  NAF  NSA%20Surveillance  1 

0  O.pdf 


6 


framework.  Arguments  against  the  NSA’s  activities  by  civil-liberties  advocates 
progressed  under  the  assumption  that  intelligence  surveillance  has  crept  too  far  into  civil 
liberties,  and  therefore  the  government  must  reform  its  surveillance  programs  and 
processes.  28  Advocates  for  the  programs  argued  that  the  NSA  surveillance  efforts 
actually  impose  little,  if  any,  harm  to  civil  liberties.  Neither  side  made  a  convincing  case 
because  neither  side  could  provide  specific  assessments  regarding  privacy  costs. 
Consequently,  as  more  revelations  about  government  surveillance  capabilities  emerged, 
the  pressure  grew  and  tipped  the  balance  in  favor  of  privacy  interests.  In  January  2014, 
intelligence  reforms  were  announced  by  the  White  House.  In  essence,  our  inability  to 
measure  the  civil-liberty  side  of  the  scale  has  inclined  the  nation  to  alter  current  practices 
based  on  a  perception  that  there  is  an  unacceptable  level  of  encroachment  simply  because 
surveillance  occurs. 

D.  PROBLEMS  AND  HYPOTHESES 

A  fundamental  problem  this  thesis  must  address  is  how  to  determine  which 
factors  are  relevant  to  measuring  privacy  costs.  Comparing  Cold  War-era  domestic 
intelligence  violations  with  those  of  modern  programs  could  provide  valuable  insight  into 
what  the  key  variables  are.  For  example,  out  of  the  one  million  Americans  the  FBI  kept 
records  on  between  I960  and  1974,  it  investigated  500,000  of  them  it  suspected  were 
subversives  without  convicting  a  single  person. 29  Americans  rejected  these  FBI  practices 
as  unacceptable.  Similarly,  privacy  concerns  led  Congress  to  defund  the  Pentagon’s  Total 
Information  Awareness  (TIA)  program  in  2003,  which  would  have  collated  all 
information  about  a  person  from  government  records  as  well  as  every  private  transaction 
a  person  conducts. These  two  cases  serve  as  examples  of  domestic  intelligence  that 


28  Kristina  Peterson  and  Siobhan  Hughes,  “Disclosures  on  NSA’s  Surveillance  Embolden  Its  Critics  in 
Congress,”  Wall  Street  Journal,  August  24,  2013, 

http://online.wsi.eom/article/SB10001424127887323665504579029362415300556.html. 

29  George  Santayana,  “History  Repeated:  The  Dangers  of  Domestic  Spying  by  Federal  Law 
Enforcement,”  American  Civil  Liberties  Union,  accessed  September  12,  2013, 
https://www.aclu.org/sites/default/files/images/asset  upload  file893  29902.pdf 

20  Northouse,  “Providing  Security  and  Protecting  Liberty,”  3-4. 
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Americans  viewed  as  too  costly  to  their  privacy;  the  reasons  why  could  inform  what  to 
look  for  in  other  programs. 

Another  problem  is  that  societal  developments  challenge  traditional 
interpretations  of  privacy.  This  is  extremely  important  to  the  discussion  because  without 
a  valid  privacy  interest,  there  are  grounds  to  argue  that  there  is  no  privacy  cost. 
Moreover,  a  measurement  of  privacy  costs  would  be  incomplete  without  integrating  all 
areas  of  legitimate  privacy  interests.  It  is  therefore  necessary  to  establish  what  is  a  valid 
privacy  interest.  In  support  of  this  end,  it  might  be  useful  to  explore  the  amount  of 
personal  information  Americans  freely  provide,  to  whom,  how  often,  and  what  private 
details  it  reveals.  For  example,  major  telecommunications  companies  in  the  United  States 
collect  data  on  the  location  of  a  person’s  phone,  incoming  and  outgoing  calls  and 
messages,  and  Internet  use  and,  depending  on  the  company,  store  the  information  from  a 
period  of  one  year  to  indefinitely.  3 1  Is  society  more  willing  to  permit  the  access  and  use 
of  this  information  to  a  company  in  order  to  receive  a  service  than  to  allow  the 
government  access  and  use  of  the  same  information  in  order  to  provide  security? 
Analyzing  the  role  of  technology  in  today’s  society  compared  with  the  intent  of  Fourth 
Amendment  protections  could  help  establish  a  standard  of  American  privacy  against 
which  to  assess  the  extent  of  domestic  surveillance  tools. 

This  thesis  hypothesizes  that  two  primary  issues  translate  into  privacy  costs.  First 
is  the  expectation  Americans  have  for  government  behavior,  such  as  abusive  use  of 
surveillance  powers  or  how  well  the  government  safeguards  personal  information  in 
order  to  minimize  privacy  concerns.  Second  is  the  expectation  Americans  have  for 
privacy,  at  both  the  individual  and  societal  level. 

E.  METHODS  AND  SOURCES 

The  first  task  will  be  to  determine  what  expectations  Americans  have  for 
government  behavior  by  conducting  historical  comparison  and  analysis  of  domestic 

31  David  Kravets,  “Which  Telecoms  Store  Your  Data  the  Longest?  Secret  Memo  Tells  All,”  Wired, 
September  28,  2011,  http://www.wired.com/threatlevel/2Ql  1/09/cellular-customer-data/:  “Fact  Sheet  2b: 
Privacy  in  the  Age  of  the  Smartphone,”  Privacy  Rights  Clearinghouse,  accessed  September  13,  2013, 
https://www.privacvrights.org/fs/fs2b-cellprivacv.htm. 
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surveillances  programs  that  society  rejected  as  unacceptable.  This  section  will  primarily 
rely  on  Congressional  hearings  and  reports,  Inspector  General  (IG)  reports,  and 
information  the  government  released  about  surveillance  programs.  The  result  of  this 
process  will  be  to  capture  the  lessons  learned  from  failed  domestic  surveillance 
experiences,  identify  what  the  major  factors  are  for  scrutinizing  privacy  concerns  and 
safeguards,  and  then  determine  how  these  fit  into  a  model  for  measuring  privacy  costs  of 
other  domestic  intelligence  programs. 

The  second  task  will  be  to  establish  what  expectations  Americans  have  for  their 
privacy.  To  reach  this  conclusion  the  thesis  will  rely  on  the  comparison  between  two 
competing  indicators:  the  historical  standards  for  the  expectation  of  privacy  and  the 
modernization  of  society.  Sources  for  this  section  will  be  Supreme  Court  case  law, 
statistics  about  American’s  use  of  technology,  and  examples  of  how  the  nature  of 
information  is  becoming  more  personal.  This  section  will  conclude  with  new  standards 
for  what  constitute  a  subjective  and  reasonable  expectation  of  privacy,  which  will  be 
applied  to  the  model  for  measuring  privacy  costs. 

Once  the  expectations  for  government  behavior  and  privacy  are  established,  the 
lessons  from  both  will  be  turned  into  a  model  for  measuring  privacy  costs.  This  model 
will  then  be  applied  to  a  current  intelligence  program,  which  will  rely  on  declassified 
government  documents,  public  statements  made  by  politicians  and  intelligence  leaders, 
and  new  intelligence  policy  directives. 

F.  OVERVIEW 

In  Chapter  II,  the  thesis  turns  to  the  expectations  Americans  have  for  government 
behavior  in  domestic  intelligence  by  examining  the  experiences  of  Cold  War-era  and  TIA 
programs.  Chapter  III  will  address  the  expectations  Americans  have  for  privacy.  Chapter 
IV  will  provide  a  model  for  measuring  privacy  costs  based  on  the  lessons  and  conclusions 
of  Chapter  II  and  Chapter  III.  In  Chapter  V,  the  NSA’s  bulk  metadata  collection  program 
under  Section  215  of  the  Uniting  and  Strengthening  America  by  Providing  Appropriate 
Tools  Required  to  Intercept  and  Obstruct  Terrorism  Act  (Patriot  Act)  will  be  tested 
against  this  model.  It  will  also  review  2014  intelligence  reforms  to  evaluate  what  effect,  if 


9 


any,  these  reforms  had  on  the  privacy  costs  associated  with  the  NSA  program.  Chapter  VI 
will  conclude  with  suggestions  for  ways  forward,  to  include  which  programs  the  United 
States  might  need  to  reevaluate  in  order  to  strike  an  accurate  balance  with  the  security 
interest  of  the  state. 


10 


II.  EXPECTATIONS  FOR  GOVERNMENT  BEHAVIOR 


Privacy  violations  come  in  the  form  of  government  activities  against  its  citizens. 
It  is  therefore  instructive  to  review  government  programs  that  society  rejected  as  having 
too  high  of  privacy  costs.  These  discontinued  surveillance  programs  expose  the  core 
elements  that  society  deems  unacceptable  government  behavior  because  of  the  associated 
infringements  on  privacy.  What  follows  are  analyses  of  CIA,  FBI,  and  NSA  surveillance 
activities  from  the  1940s  through  1970s,  and  the  Total  Information  Awareness  initiative 
of  the  early  2000s.  The  purpose  of  this  chapter  is  to  discuss  the  capabilities  and  privacy 
implications  of  the  various  programs,  which  will  inform  the  Chapter  IV  discussion  on 
how  to  measure  privacy  costs. 

A.  COLD  WAR  PROGRAMS 

On  January  27,  1975,  the  U.S.  Senate  established  a  special  committee  to 
investigate  public  allegations  of  widespread  misconduct  by  the  intelligence  community 
(IC).32  The  mandate  of  the  Church  Committee  was  broad  and  included  the  following; 

•  determine  what  activities  the  intelligence  agencies  conducted, 

•  what  activities  these  agencies  should  conduct, 

•  whether  those  activities  conformed  to  the  law  and  Constitution, 

•  if  the  existing  laws  were  inadequate  to  protect  the  rights  of  citizens,  and 

•  how  to  improve  oversight  of  the  different  intelligence  agencies.  33 

In  order  to  accomplish  its  objectives,  the  Committee  focused  on  the  authorities, 
organization,  and  activities  of  the  CIA,  NSA,  FBI,  the  intelligence  components  of  the 
Department  of  Defense,  and  the  National  Security  Council.  34  By  the  time  it  concluded  in 
May  1976,  the  Church  Committee  had  detailed  the  intelligence  agencies’  expansive 

Select  Committee  to  Study  Governmental  Operations  with  Respect  to  Intelligence  Activities, 
Intelligence  Activities  and  the  Rights  of  Americans:  Final  Report,  Book  11,  S.  Rep.  No.  94-755,  at  v  (1976); 
“Church  Committee  Created,”  U.S.  Senate,  accessed  March  2,  2014, 
http://www.senate.gov/artandhistorv/historv/minute/Church  Committee  Created.htm. 

”  S.  Rep.  No.  94-755,  at  vi  (1976). 

Ibid.,  at  vii. 
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violations  of  constitutionally  protected  rights.  These  CIA,  NSA,  and  FBI  programs  stand 
as  examples  of  unendurable  infringements  on  privaey. 

1,  Capabilities 

The  apparent  partition  between  the  intelligenee  programs  and  agencies  during  the 
1940s  and  1970s  is  deceiving.  While  the  CIA,  NSA,  and  FBI  oversaw  their  own 
activities,  they  also  shared  intelligenee  with  other  offices  in  their  organizations  and  with 
eaeh  other.  Frequently  the  intelligenee  sharing  went  beyond  what  was  legally  permissible 
and  extended  into  eoordinated  domestie  surveillanee.  In  order  to  understand  the  full 
seope  of  the  privaey  infringements,  it  is  neeessary  to  evaluate  eaeh  program  individually 
while  also  eonsidering  the  capabilities  it  provided  to  the  overall  domestie  intelligenee 
apparatus. 


a.  CIA:  CHAOS 

Starting  around  August  1967  and  ending  in  Mareh  1974,  the  CHAOS  program 
was  an  intelligenee  operation  ran  by  the  CIA  to  determine  if  the  Soviets,  Chinese 
Communists,  and  Cubans  were  exploiting  domestic  protests  within  the  United  States  as  a 
means  to  conduet  espionage  and  subversion. 35  The  program  originally  foeused  on  the 
potential  foreign  eommunist  eontrol  of  the  anti- Vietnam  War  and  the  Blaek  Power 
movements.  Despite  evidenee  indicating  the  absence  of  any  significant  foreign  influence 
in  these  movements,  CHAOS  broadened  in  seope.  3^  One  of  the  main  reasons  for 
expanding  the  program,  aecording  to  former  Direetor  of  the  CIA  Riehard  Helms,  was  that 
in  order  for  the  CIA  to  aceurately  conelude  there  was  no  signifieant  foreign  infiuenee,  it 
had  to  prove  the  negative:  it  needed  to  investigate  all  the  anti-war  protestors  and  their 
contaets  to  ensure  no  assoeiation  existed  between  them  and  foreign  powers. 33  This 
defeetive  rationale,  however,  was  not  the  only  reason  why  the  CHAOS  program 
broadened  to  other  domestic  protestors.  The  White  House  initiated  the  program  through 
persistent  requests  to  the  CIA  and  then  was  skeptieal  of  the  results,  consequently  creating 

Ibid.,  at  100. 

Ibid.,  at  96. 

”  Ibid.,  at  101-02. 
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pressure  to  expand  its  scope. 38  In  addition,  the  FBI  submitted  intelligence  requirements 
to  CHAOS  for  its  own  questionable  domestic  surveillance  purposes,  which  also 
contributed  to  stretching  the  limits  of  the  program’s  reach.  The  FBI  started  submitting 
names  of  U.S.  citizens  to  the  CIA  for  monitoring  in  1970.  Its  sole  justification  for 
conducting  surveillance  on  these  people  was  an  accusation  that  they  engaged  in  domestic 
protests  and  violence.  39 

b.  CIA:  Mail  Opening  Program 

Several  CIA  programs  opened  mail  transiting  through,  to,  or  from  the  United 
States  between  1953  and  1973.^0  The  purpose  was  to  discover  Soviet  Union  intelligence 
efforts  within  the  United  States.  An  Inspector  General  (IG)  report  provided  to  the  Church 
Committee  during  the  hearings  explained  that  from  its  office  at  the  mail  processing  center 
at  LaGuardia  Airport  in  New  York  City,  the  CIA  screened  and  photographed  a  high 
volume  of  letters,  from  which  it  selected  a  smaller  number  to  steam  open,  copy,  reseal, 
and  place  back  into  the  mail  system.  Much  like  CHAOS,  these  mail  opening  programs 
broadened  beyond  the  original  purpose.  Starting  in  1969,  the  FBI  submitted  names  of 
domestic  political  radicals  and  black  militants  for  the  CIA  to  include  in  its  mail  opening 
programs.  By  1972,  the  FBI’s  request  list  expanded  to  include  protest  and  peace 
organizations,  such  as  the  People’s  Coalition  for  Peace  and  Justice,  the  National  Peace 
Action  Committee,  and  the  Women’s  Strike  for  Peace  as  well  as  subversive  groups  such 
as  the  Black  Panthers,  White  Panthers,  Black  Nationalists  and  Liberation  Groups, 
Students  for  a  Democratic  Society,  Resist,  and  Revolutionary  Union.^i 


^Ubid.,at  100-101. 

”  Ibid.,  at  100. 

The  FBI  also  had  a  mail-opening  program  but  terminated  it  in  1966,  at  which  point  it  started 
submitting  requirements  to,  and  receiving  the  benefits  from,  the  CIA  programs.  Ibid.,  at  12,  31,  59,107. 

Ibid.,  6,58, 107-08;  Intelligence  Activities:  Hearing  on  Mail  Opening,  Before  the  Select  Comm,  to 
Study  Governmental  Operations  with  Respect  to  Intelligence  Activities,  94th  Cong.  (October  21-24,  1975), 
176. 
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c.  A«4:  MINARET 

In  1962,  the  NSA  started  eolleeting  signals  intelligenee  (SIGINT)  on  Ameriean 
eitizens,  which  the  government  then  used  for  domestic  law  enforcement  purposes. ^2  That 
program  was  MINARET.  It  was  originally  limited  to  people  traveling  to  Cuba,  but  after 
the  Warren  Commission’s  report  on  the  assassination  of  President  Kennedy  the  Secret 
Service  asked  the  NSA  to  monitor  communications  of  people  who  were  potential  threats 
to  the  president.  43  Ever  since  this  initial  request  the  MINARET  watch  list  primarily 
focused  on  Americans. 44  Expanding  the  program,  however,  involved  more  than  the  NSA 
and  Secret  Service.  Throughout  the  1960s,  the  MINARET  watch  list  grew  in  response  to 
EBI  requests  to  include  people  suspected  of  narcotics  related  activity  and  domestic 
terrorism. 45  Not  until  1973,  in  the  immediate  aftermath  of  the  congressional  hearings  on 
Watergate,  did  the  attorney  general  shutdown  the  MINARET  program.  46 

d.  NSA:  SHAMROCK 

Erom  1947  until  1975,  at  least  three  international  cable  companies  provided  the 
NSA  with  millions  of  private  cables  sent  by  Americans.  47  The  program  expanded  to 
include  essentially  all  the  cables  to  or  from  the  United  States  sent  or  received  by  the  three 
major  communications  companies. 48  Couriers  from  these  companies  routinely 
transported  the  messages  to  NSA,  who  would  then  select  cables  for  additional  analysis 
and  destroy  the  rest.49  The  broadening  of  SHAMROCK,  however,  was  more  than  an 
increase  in  collection;  it  also  reflected  a  breakdown  of  the  rules  in  place  that  prohibited 
domestic  collection  by  the  NSA. 

Thomas  R.  Johnson,  Book  HI:  Retrenchment  and  Reform,  1972-1980,  vol.  5,  NSA  Period:  1952- 
Present  of  a  series  on  American  Cryptography  during  the  Cold  War,  1945-1989  (National  Security  Agency, 
1998),  84. 

Ibid.,  84. 

^  Ibid.,  84. 

Ibid.,  85. 

Ibid.,  86. 

S.  Rep.  No.  94-755,  at  6,  12,  104  (1976). 

Ibid.,  at  104. 

Johnson,  Retrenchment  and  Reform,  84. 
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e.  FBI:  Counterintelligence  Program 

The  FBI’s  Counterintelligence  Program  (COINTELPRO)  was  designed  to  disrupt 
groups  and  neutralize  individuals  that  it  designated  as  threats  to  domestic  security.  The 
program  originally  targeted  the  Communist  Party,  U.S.A.,  but  its  focus  gradually  shifted 
toward  domestic  dissenters.  Under  COINTELPRO,  the  EBI  collected  and  disseminated 
excessive  information  on  people  it  labeled  as  rabble  rousers,  agitators,  key  activists,  and 
key  black  extremists  and  then  used  covert  action  to  disrupt  or  neutralize  their  influence. 
Eor  example,  the  EBI  anonymously  attacked  the  political  beliefs  of  Americans  as  a  means 
of  provoking  their  employer  to  fire  them.  In  deliberate  attempts  to  destroy  marriages,  the 
EBI  mailed  anonymous  letters  to  the  spouses  of  the  people  it  was  trying  to  neutralize.  In 
some  cases,  the  FBI  prompted  the  IRS  to  investigate  Americans  as  a  form  of  harassment 
and  to  delegitimize  protest  leaders.  Finally,  targets  of  COINTELPRO  would  be 
physically  attacked  by  or  expelled  from  their  group  as  a  direct  result  of  the  EBI  falsely 
and  anonymously  labeling  them  as  government  informants.^*’ 

f.  FBI:  Communist  Infiltration 

Similar  to  COINTELPRO  and  CHAOS,  the  Communist  Infiltration  (COMINFIL) 
program  originally  focused  on  communist  influence  of  domestic  activists.  The  Church 
Committee  found  that  the  FBI  exaggerated  the  extent  of  domestic  communist  influence 
by  foreign  powers.  Consequently,  COMINFIL  expanded  into  the  EBEs  broadest 
intelligence  collection  program.  It  collected  a  wide  range  of  information  on  political, 
legislative,  and  cultural  activities,  youth,  women’s,  farmers’,  and  veterans’  matters,  and  a 
person’s  religion  and  education.  In  effect,  the  COMINFIL  program  provided  intelligence 
on  a  wide  range  of  groups  that  did  not  have  any  significant  connections  to  communists.^’ 

g.  FBI:  Watch  Lists 

A  key  contributor  to  domestic  intelligence  abuses  was  the  EBEs  use  of  watch 
lists.  The  EBEs  priority  arrest  list,  known  as  DETCOM,  contained  the  names  of  key 


S.  Rep.  No.  94-755,  at  10,63,69,89  (1976). 
Ibid.,  at  48,68. 
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figure  and  functionaries  of  the  Communist  Party.  52  Similarly,  the  Communist  Sabotage 
(COMSAB)  list  contained  names  of  potential  communist  saboteurs.  53  There  was  also  the 
Communist  Index,  which  although  its  name  implied  a  focus  on  key  communists  within 
the  United  States  was  actually  much  broader.  The  Communist  Index  contained  people  of 
interest  to  internal  security  irrespective  of  any  communist  connections.  54  Another 
important  list  maintained  by  the  FBI  was  the  Rabble  Rouser  Index.  According  to  the 
FBI’s  definition,  a  rabble-rouser  was  “a  person  who  tries  to  arouse  people  to  violent 
action  by  appealing  to  their  emotions,  prejudices,  et  cetera.”55  In  1967,  the  Rabble 
Rouser  definition  expanded  to  include  “persons  with  a  ‘propensity  for  fomenting’  any 
disorders  affecting  the  ‘internal  security’”  of  the  United  States.  55  The  FBI  renamed  it  the 
Agitator  Index  in  1968  and  applied  an  even  lower  standard  for  what  constituted  an 
agitator,  consequently  deflating  the  list’s  value.  52 

A  new  initiative  replaced  the  Agitator  Index:  it  was  known  as  the  Key  Activist 
program.  58  Key  activists,  as  defined  by  the  FBI,  were:  “individuals  in  the  Students  for 
Democratic  Society  and  the  anti-Vietnam  war  groups  [who]  are  extremely  active  and 
most  vocal  in  their  statements  denouncing  the  United  States  and  calling  for  civil 
disobedience  and  other  forms  of  unlawful  and  disruptive  acts. ”59  A  domestic  authority 
with  law  enforcement  power  categorizing  civil  disobedience  as  unlawful  is  antithetical  to 
freedom  and  a  precursor  for  privacy  violations.  Individuals  on  the  Key  Activist  list  were 
subject  to  technical  and  physical  surveillance  despite  not  being  suspected  of  committing 
or  planning  to  commit  a  federal  crime.  50 


“  Ibid.,  at  55. 
Ibid.,  at  55. 
Ibid.,  at  55. 
Ibid.,  at  90. 
Ibid.,  at  90. 
”  Ibid.,  at  90. 
Ibid.,  at  90. 
Ibid.,  at  90. 
“  Ibid.,  at  90. 
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The  FBI  abolished  the  Agitator  Index  in  1971  because  the  Agency  was  already 
conducting  surveillance  on  those  people  under  the  decades  old  Security  Index.  The  FBI 
and  Department  of  Justice  (DOJ)  created  the  Security  Index  as  part  of  an  emergency 
action  plan;  if  a  significantly  disruptive  event  occurred  that  threatened  the  effective 
operation  of  national,  state,  or  local  governments  or  of  national  defense,  the  FBI  would 
immediately  detain  the  individuals  on  this  list  without  warrant.  The  Church  Committed 
found  that  to  place  someone  on  the  Security  Index,  the  FBI  required  no  more  than  a 
“reasonable  ground  to  believe  that  such  person  probably  will  engage  in,  or  probably  will 
conspire  with  others  to  engage  in,  acts  of  espionage  and  sabotage,  including  acts  of 
terrorism  or  assassination” — or  any  other  act  that  could  create  a  significant  disruptive 
event.  Despite  the  FBI  tightening  the  Security  Index’s  standards  and  reducing  its  size  in 
1955,  those  names  taken  off  were  simply  placed  on  the  Communist  Index.  In  1960,  the 
FBI  renamed  the  Communist  Index  the  Reserve  Index  and  expanded  it  to  include 
professors,  teachers,  labor  union  organizers,  newsmen,  lawyers,  doctors,  and  scientists. 
The  Reserve  Index  served  as  a  list  of  people  who  would  receive  priority  consideration  for 
action  by  the  FBI  after  it  detained  those  listed  on  the  Security  Index. 

2,  Privacy  Implications 

Every  program  detailed  above  expanded  beyond  its  original  mission  to  include,  if 
not  exclusively  focus  on,  domestic  intelligence.  Two  major  components  of  the  privacy 
costs  weighed  against  these  programs  were  the  number  of  Americans  affected  and  the 
low  intelligence  value.  For  example,  by  the  time  the  CIA  terminated  CHAOS  its 
surveillance  had  included  radical  students,  African-American  expatriates,  and  U.S. 
persons  that  traveled  to  certain  overseas  locations.  More  concretely,  through  CHAOS 
operations  the  CIA  had  indexed  information  on  over  300,000  people  and  groups  and 
created  13,000  files  that  included  more  than  7,200  files  on  Americans  and  over  100  on 
domestic  groups. Committee  concluded  that  the  program’s  collection  was 

Ibid.,  at  92. 

“  Ibid.,  at  54-56,69,89,91-92. 

“  Ibid.,  at  100. 

'’Hbid.,  at  6,102. 
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excessive  and  that  much  of  the  information  was  irrelevant  to  legitimate  intelligence  and 

government  interests. 

In  the  end,  the  Committee’s  report  found  that  the  CIA  mail-opening  program 
produced  a  computerized  index  of  nearly  1,500,000  names.  The  Senate  hearings  on  mail 
opening  revealed  that  during  the  span  of  these  operations,  28,322,796  letters  were  subject 
to  screening,  of  which  the  CIA  photographed  2,705,726  envelopes,  copied  389,324 
envelopes,  and  copied  the  contents  of  215,820  letters  it  had  opened.  During  the  hearings, 
the  Church  Committee  struggled  to  find  a  single  case  of  these  operations  resulting  in  the 
identification  of  a  foreign  agent.  In  addition,  internal  IC  reports  scrutinized  at  the 
hearings  showed  that  the  information  was  only  occasionally  helpful,  a  meager  source  of 
intelligence,  and  of  very  little  value.  The  Church  Committee  report  concluded  that  the 
CIA  intercepted  communications  of  various  types  of  domestic  dissidents  through  the  mail 
opening  programs  that  was  unrelated  to  foreign  intelligence  or  counterintelligence 
purposes. 

The  NSA’s  MINARET  and  SHAMROCK  programs  received  similar  criticisms. 
The  Church  Committee  found  it  difficult  to  attribute  any  meaningful  intelligence  value  to 
MINARET.  For  example,  the  NSA  intercepted,  disseminated,  and  stored 
communications  that  were  mostly  of  a  private  or  personal  nature,  such  as  peace 
protestors,  anti-war  activists,  journalists,  and  a  spouse  of  a  U.S.  senator,  or  about  rallies 
and  demonstrations  that  were  already  public  knowledge.  While  the  1,600  names  on  the 
MINARET  watch  list  was  small  compared  to  the  scope  of  other  programs,  the  collection 
was  still  quite  substantial.  The  Committee  did  not  reveal  as  many  specifics  about  the 
NSA  programs  as  it  did  for  the  others.  What  is  likely  is  that  SHAMROCK  essentially 
operated  as  a  collection  method  for  acquiring  SIGINT  on  Americans  on  the  MINARET 
watch  list.  Under  the  SHAMROCK  program,  the  NSA  selected  approximately  150,000 


“  Ibid.,  at  102. 

Ibid.,  6,59,108;  Hearing  on  Mail  Opening,  1-2,6,31,168. 
”  S.  Rep.  No.  94-755,  at  108  (1976). 

“  Ibid.,  at  108-09. 
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messages  per  month  for  additional  analysis. Being  that  the  MINARET  list  was 
composed  of  mostly  Americans,  the  overall  effect  was  the  NSA  monitoring  a  pervasive 
amount  of  citizens’  private  communications. 

The  various  FBI  programs  resulted  in  widespread  surveillance  of  Americans. 
Between  1960  and  1974,  of  the  over  500,000  separate  investigations  of  subversive 
persons  or  groups,  not  a  single  person  or  group  was  prosecuted  under  the  relevant  laws 
that  prohibit  overthrowing  the  government — the  very  legal  basis  used  to  conduct  these 
investigations.^!  Prosecutions  based  on  other  laws  were  also  scarce.  For  example,  only 
1.3  percent  of  the  17,528  domestic  intelligence  investigations  by  the  FBI  in  1974  resulted 
in  prosecution  and  conviction.^^  Moreover,  the  500,000  number  represents  only  the 
investigations  carried  out  by  headquarters  and  does  not  include  those  conducted  by  the 
FBI  field  offices,  which  maintained  a  larger  number  of  investigative  files.  ^3  Not  only 
were  the  total  investigations  likely  much  higher,  but  so  was  the  number  of  people 
affected.  Domestic  intelligence  files  contained  information  on  more  than  one  person  or 
group.  The  Church  Committee  found  that  hundreds  or  thousands  of  group  members  or 
associates  could  be  included  in  a  single  fde.’^^ 

Another  major  component  of  the  privacy  costs  associated  with  these  programs 
was  the  breakdown  between  foreign  intelligence  agencies  and  domestic  law  enforcement. 
The  Committee  specifically  noted  how  the  CIA  programs  violated  the  ban  on  foreign 
intelligence  agencies  from  conducting  internal  security,  as  well  as  violating  statues  that 
protect  mail  privacy  and  prohibit  the  interception  of  communications.^^  The  NSA 
bypassed  several  similar  restrictions,  such  as  those  establishing  that  it  only  collect  foreign 
intelligence  and  monitor  only  foreign  communications,  but  not  communications  between 
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persons  within  the  United  States  or  coneeming  purely  domestie  affairs.  Regardless  of 
these  rules,  the  NSA  condueted  domestie  intelligenee.  Not  only  were  the  CIA  and  NSA 
programs  almost  exclusively  providing  intelligence  for  domestic  law  enforcement 
purposes,  but  many  of  the  investigations  they  supported  were  illegitimate.  For  example, 
the  FBI,  the  main  provider  of  names  to  the  watch  lists,  used  the  NSA  to  collect  SIGINT 
on  domestic  terrorists,  foreign  radical  suspects,  journalists,  civil  rights  leaders,  and 
politicians  such  as  high  profile  targets  Art  Buchwald,  Martin  Luther  King,  Jr.,  and  Frank 
Church.  All  of  these  programs  intentionally  neglected  privacy  protections  for 
American  citizens.  The  CIA,  NSA,  and  FBI  collectively  eroded  the  institutional  design  to 
separate  foreign  and  domestic  intelligence  as  a  means  of  protecting  American’s  against 
intrusive  government  power.  ^9  These  effects  provided  much  of  the  impetus  behind 
Senator  Church’s  push  for  legislative  changes  to  insure  intelligence  abuses  would  not 

occur  again. 

The  final  major  privacy  concern  raised  by  these  intelligence  programs  was  the 
blatant  disregard  for  constitutional  protections.  The  widespread  privacy  infringements 
violated  the  constitutional  rights  of  Americans  engaged  in  lawful  activity,  As  the 
record  shows,  these  domestic  intelligence  activities  did  not  focus  on  collecting  evidence 
for  criminal  investigations  but  instead  became  a  process  of  conducting  illegal 
surveillance  and  secret  activities  against  American  citizens. ^2  People  were  targeted  by 
the  government  for  First  Amendment  protected  activities  such  as  political  expression  and 
lawful  assembly.  ^3  Government  surveillance  and  intimidation  both  infringed  on  privacy 
and  deterred  citizens  from  exercising  their  First  Amendment  rights. 


’Nbid.,  at  69,104. 
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The  widespread  abuses  by  the  intelligenee  agencies  resulted  in  the  overhaul  of 
executive,  congressional,  and  judicial  intelligence  oversight.  In  the  summer  of  1975, 
President  Gerald  Ford  implemented  mechanisms  to  better  supervise  CIA  activities, 
restricted  CIA’s  domestic  activities,  banned  mail  opening,  and  ended  the  abusive 
wiretaps  and  use  of  tax  information.  President  Ford  also  issued  Executive  Order  11905 
in  February  1976,  which  established  an  Intelligence  Oversight  Board  within  the 
Executive  Office  of  the  President.*®  Congress  followed  suit.  The  Senate  created  the 
Select  Committee  on  Intelligence  in  May  of  1976  and  the  House  of  Representatives 
established  the  Permanent  Select  Committee  on  Intelligence  in  July  of  1977.*^  Congress 
empowered  both  Committees  with  oversight  of  the  IC  and  the  power  to  authorize 
expenditures  for  intelligence  activities.**  Another  key  change  was  the  1978  Eoreign 
Intelligence  Surveillance  Act  (PISA)  that  put  strict  legal  conditions  on  the  IC’s  use  of 
electronic  surveillance  and  established  the  PISA  Court  (PISC)  as  the  approving  authority 
for  such  surveillance.  *9  Pinally,  the  Intelligence  Oversight  Act  of  1980  established  the 
criteria  for  intelligence  reporting  to  the  oversight  committees,  which  included  disclosing 
covert  actions  and  the  loose  standard  of  keeping  the  committees  fully  and  currently 
informed.  All  of  these  reforms  produced  the  cumulative  effect  of  placing  the  IC 
“within  the  constitutional  scheme  for  controlling  government  power”9i  and  created  an 
overlay  of  oversight  bodies  focused  on  better  protecting  civil  liberties.  ^2 

B,  TOTAL  INFORMATION  AWARENESS 

In  2002,  the  Defense  Advanced  Research  Agency  (DARPA),  an  organization 
within  the  Department  of  Defense  (DOD),  announced  it  was  developing  new  intelligence 

“The  Evolution  of  the  U.S.  Intelligence  Community-An  Historical  Overview,”  Federation  of 
American  Scientists,  accessed  March  2,  2014  http://www.fas.org/irp/offdocs/int022.html. 
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technologies  under  its  TIA  initiative. ^3  In  September  2003,  the  program  ended  after 
suffering  public,  media,  and  Congressional  backlash. 94  At  the  core  of  the  TIA 
controversy  was  its  improper  balance  between  security  and  privacy.  The  TIA  experience 
thus  provides  an  example  of  a  national  security  program  that  ended  due  to  unacceptable 
privacy  costs. 

1,  Capabilities 

Immediately  following  9/11,  national  leaders  focused  on  the  need  to  break  down 
the  barriers  between  1C  partners,  increase  intelligence  sharing,  and  improve  the  ability  of 
the  1C  to  connect  disparate  fragments  of  intelligence.  The  TIA  program,  as  envisioned, 
was  the  theoretical  answer  to  these  problems.  The  goal  of  TIA  was  to  create  a 
counterterrorism  information  architecture  that  would;  increase  access  to  and  sharing  of 
information,  thereby  increasing  how  much  total  information  was  available  and  could  be 
evaluated;  provide  automatic  warnings  of  dangerous  or  suspicious  activity  after  a  trigger 
event  occurred;  cue  analysts  about  peoples’  activities  that  match  terrorist  behavioral 
patterns;  enable  hypothesis  testing  of  theories  and  mitigation  strategies  related  to  future 
terrorist  activities. 93  Increasing  access,  sharing,  and  coverage  of  information  were 
technical  solutions  to  having  data  and  analysts  dispersed  throughout  the  world.  Trigger 
events  and  behavioral  patterns  were  also  technical  solutions  in  which  computers  would 
have  analyzed  vast  amounts  of  transactional  and  behavioral  data  and  then  provide 
warnings  of  suspicious  activity. 

Procedurally,  TIA  would  have  started  with  a  red  team  developing  different 
terrorist  attack  scenarios  against  the  United  States,  determine  what  planning  and 
preparation  activities  these  attacks  require,  create  a  list  of  expected  transactions  that 

John  Markoff,  “Pentagon  Plans  a  Computer  System  that  Would  Peek  at  Personal  Data  of 
Americans,”  New  York  Times,  November  9,  2002, 
http://www.nvtimes.eom/2002/l  l/09/politics/09COMP.html. 
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would  fit  these  models,  and  analyze  what  behavioral  patterns  a  terrorist  would  likely 
follow  for  a  given  attack  scenario.  ^6  For  such  a  program  to  work,  however,  would  have 
required  intelligence  analysts  to  have  access  to  a  considerable  amount  of  data  not  only  on 
known  or  suspected  terrorists,  but  also  on  everyone  else.  In  order  to  differentiate  between 
the  average  person,  the  person  who  is  neither  average  nor  a  terrorist,  and  the  terrorist 
required  monitoring  the  activities  of  everyone.  Distinguishing  the  terrorists  and  their 
activities  from  the  general  population  required  a  set  of  tools,  which  were  the  new 
technologies  DARPA  planned  to  develop  as  subprograms  of  TIA.^^  The  technologies 
with  the  most  notable  privacy  concerns  were  Genisys,  Evidence  Extraction  and  Eink 
Discovery,  Scalable  Social  Network  Analysis,  Misinformation  Detection,  Human 
Identification  at  a  Distance,  Activity,  Recognition  and  Monitoring,  and  Next-Generation 
Eace  Recognition. 98 

a.  Genisys 

The  purpose  of  the  Genisys  program  was  to  develop  the  technology  necessary  to 
integrate  databases  and  other  information  sources.  At  the  time,  the  available  technology 
was  too  complex,  inflexible,  slow,  and  error  prone;  making  integrating  or  creating 
databases  on  a  scale  required  by  the  IC  extremely  difficult  to  achieve.  By  developing  a 
federated  database  architecture,  Genisys  would  have  enabled  analysts  to  access,  use,  and 
evaluate  more  information.  The  program  would  have  integrated  data  related  to  “all 
potential  terrorists  and  possible  supporters;  terrorist  materials;  training,  preparation,  and 
rehearsal  activities;  potential  targets;  specific  plans;  and  the  status  of  [U.S.]  defenses. ”99 
Genisys  was  a  program  designed  to  connect  the  dots  for  an  IC  that  was  heavily  criticized 
for  failing  to  do  so  before  9/11;  it  would  have  done  this  by  developing  groundbreaking 
ways  of  accessing  and  sharing  unprecedented  amounts  of  information  at  as  close  to  real 
time  as  possible, 

DARPA,  Report  to  Congress,  3,  6,  18-31. 
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b.  Evidence  Extraction  and  Link  Discovery 

The  technologies  DARPA  slated  for  development  under  the  Evidence  Extraction 
and  Eink  Discovery  (EELD)  program  would  have  taken  unstructured  textual  data  from 
sources  ranging  from  intelligence  to  news  reports  and  automatically  extract  information 
about  relationships  between  people,  organizations,  and  places.  Its  anticipated  intelligence 
value  would  have  been  to  minimize  the  analysis  of  legitimate  activities  and  focus  instead 
on  those  the  system  automatically  flagged  as  suspicious.  The  automated  analysis  of 
various  sources  could  have  potentially  discovered  new  threats  from  unknown  individuals 
or  groups.  Conceptually,  it  would  have  automatically  found  the  dots,  decided  which  dots 
to  connect,  and  connected  them.i*’! 

c.  Scalable  Social  Network  Analysis 

The  objective  of  Scalable  Social  Network  Analysis  (SSNA)  was  to  improve  social 
network  analysis  capabilities  by  identifying  normal  patterns  of  behavior,  patterns  that 
match  the  behavior  of  terrorist  groups,  and  changes  in  a  terrorist  network  that  indicate  an 
impending  attack.  1^2  intelligence  value  of  this  program  was  basic,  but  important:  in 
order  to  defeat  a  terrorist  network,  intelligence  must  first  detect  and  define  that  network. 
It  would  have  required  essentially  the  same  type  of  information  as  the  EEED  program — 
namely,  information  that  defined  or  explained  the  relationships  between  people, 
organizations,  and  places.  The  SSNA  program  would  have  included  information  that 
characterizes  the  type  of  interactions  between  people,  the  nature  of  the  interaction,  and 
the  different  roles  people  have  in  a  social  network. 

d.  Misinformation  Detection 

The  focus  of  the  Misinformation  Detection  (MInDet)  program  was  to  determine 
the  intelligence  reliability  of  publicly  available  sources  and  identify  intentional 
misinformation  efforts  against  the  IC.104  While  this  would  have  had  a  general 
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intelligence  value  in  the  form  of  vetting  open  sources,  another  application  of  the  program 
could  have  provided  a  much  more  specific  counterterrorism  value.  Based  on  the  premise 
that  terrorists  and  their  supporters  would  intentionally  try  to  hide  information  about 
themselves  and  their  activities,  the  proposal  for  MInDet  envisioned  the  potential  for  the 
program  to  detect  deceptive  information  on  government  forms  and  in  textual  documents, 
which  could  then  prompt  a  more  thorough  investigation  into  the  person’s  activities.  1^5 

e.  Human  Identification  at  a  Distance 

The  purpose  of  Human  Identification  at  a  Distance  (HumanID)  was  to  advance 
biometric  technologies  “with  the  capability  to  detect,  recognize,  and  identify  humans  at  a 
distance.”!*’®  In  essence,  the  program  would  have  monitored  people  near  government 
facilities  with  video,  infrared  imagery,  and  multispectral  sensors,  collect  their  biometric 
signatures,  uniquely  identify  them,  and  presumably  provide  a  reliable  assessment  on 
whether  or  not  a  person  was  threatening.  DARPA  described  the  intelligence  value  of  this 
program  as  providing  critical  early  warning  against  human-based  threats,  such  as 
terrorism.!*’^ 

f.  Activity,  Recognition  and  Monitoring 

Where  HumanID  focused  on  the  individual  biometrics.  Activity,  Recognition  and 
Monitoring  (ARM)  sought  to  develop  technologies  to  capture,  identify,  and  classify 
different  types  of  human  activities  in  a  surveillance  environment. The  intelligence 
value  of  this  program  would  have  been  to  differentiate  normal  and  suspicious  human 
behaviors  in  a  given  area  or  situation  and  then  provide  a  warning  when  it  detected 
questionable  behavior.  For  example,  it  potentially  could  have  identified  unattended 
packages  at  a  public  event  or  terrorists  casing  a  critical  infrastructure  target. 

ARM  program  would  have  relied  on  similar  sources  as  HumanID,  to  include  video,  agile 
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sensors,  low  power  radar,  infrared  sensors,  and  radio  frequeney  tags,  no  An  implied 
eapability  was  the  ability  to  monitor  the  routine  behavior  of  average  eitizens  in  order  to 
develop  the  baseline  human  aetivity  models  on  whieh  this  relies.  Additionally,  the  ARM 
program  also  implied  eonstant  surveillanee  in  publie  plaees,  as  the  eolleetion 
teehnologies  would  feed  the  automated  warning  eomponents  of  the  system. 

g.  Next-Generation  Face  Recognition 

The  Next-Generation  Faee  Reeognition  (NGFR)  program  pursued  development 
of  new  faeial  biometries  eolleetion  and  analysis  tools.  After  developing  the  teehnology, 
NGFR  would  have  been  able  to  automatieally  and  eonfidently  identify  known  or 
suspeeted  individuals  detected  by  a  web  of  sensors.  Implied  in  this  program  would  have 
been  its  integration  with  the  HumanID  and  ARM  surveillance  sensors  against  which  to 
run  the  facial  recognition  technology.  An  additional  major  component  of  the  NGFR 
program  would  have  been  to  create  a  large  database  of  facial  imagery.  1 1 1 

h.  Composite  Capabilities  of  the  Total  Information  Awareness  Program 

Taking  all  of  the  subprograms  into  account,  two  characteristics  of  TIA  stand  out. 
First,  there  was  a  robust  virtual  surveillance  component.  Genisys  would  have  established 
the  information  network  that  provided  access  to  incomparable  amounts  of  data  on 
terrorists,  criminals,  and  law  abiding  American  citizens.  The  FELD  program  would  have 
then  used  Genisys’  database  infrastructure  to  sift  through  the  treasure  trove  of 
information  and  automatically  decipher  links  between  people,  places,  and  organizations. 
In  essence,  it  would  automatically  build  the  social  network  of  whomever  the  analyst 
queries.  Applying  the  SSNA  program  would  better  refine  that  person’s  network  and  use 
automated  tools  to  determine  if  that  person’s  social  network  is  legitimate  or  resembles  a 
terrorist  group.  Finally,  although  the  MInDet  program  is  not  directly  connected  to  the 
chain  of  virtual  surveillance,  automatically  scrutinizing  government  documents  and 
publicly  available  information  could  provide  the  impetus  for  starting  an  investigation  into 
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someone’s  behavior  by  indicating  to  the  HELD  or  SSNA  programs  that  this  person’s 
activity  is  questionable. 

Second,  TIA  included  robust  physical  surveillance  capabilities.  Common  to  both 
HumanID  and  NGFR  would  have  been  the  ability  of  the  government  to  use  a  distributed 
web  of  complex  sensors  across  numerous  facilities  and  public  environments  to  uniquely 
identify  people.  In  order  for  these  programs  to  work,  each  would  have  to  communicate 
with  a  database  of  personally  identifiable  biometric  data  in  order  to  establish  an  identity. 
In  addition,  the  ARM  program  would  have  provided  the  capability  to  flag  suspicious 
activity  detected  on  the  same  network  by  comparing  a  person’s  behavior  with  models  of 
what  it  considered  suspicious.  Yet  to  do  this  required  substantial  surveillance  of  routine, 
law-abiding  behavior  in  order  to  establish  a  baseline  of  non-threatening  behavior.  Such 
were  the  proposed  virtual  and  physical  capabilities  of  TIA;  the  privacy  implications  were 
many. 


2,  Privacy  Implications 

Criticisms  of  TIA  included  accusing  DARPA  of  creating  a  dragnet.  Big  Brother 
spying  program  against  Americans  that  was  outside  of  congressional  oversight  and 
lacked  sufficient  safeguards,  constitutional  protections,  clear  accountability,  and  privacy 
related  guidelines.  These  claims  had  merit,  but  so  did  DARPA’s  defense  of  TIA.  The 
program  was  in  the  developmental  stage  and  under  an  agency  whose  focus  was  to  create 
the  new  technologies  required  to  fill  intelligence  capability  gaps.  Since  TIA  was  a 
conceptual  research  and  development  program,  DARPA  argued  there  were  practical 
reasons  why  robust  privacy  mechanisms  were  not  yet  built  into  the  system.  This  is  not  to 
say  that  DARPA  ignored  the  privacy  concerns  raised  by  TIA.  On  the  contrary,  DARPA 
repeatedly  addressed  the  privacy  implications  in  its  description  of  TIA  subprograms  and 
was  developing  the  Genisys  Privacy  Protection  program  as  part  of  TIA.  Nevertheless, 

Ron  Wyden,  “Wyden  Calls  for  Congressional  Oversight,  Accountability  of  Total  Information 
Awareness  Office,”  news  release,  January  15,  2003,  http://www.wvden.senate.gov/news/press-releases; 
Timothy  J.  Burger,  “A  Terror  Tracking  System  by  Any  Other  Name,”  TIME,  May  14,  2003, 
http://content.time.eom/time/nation/article/0. 8599,45 1925.00.html;  Markoff,  “Pentagon  Plans  a  Computer 
System  that  Would  Peek  at  Personal  Data  of  Americans.” 
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the  reservations  assoeiated  with  TIA  were  so  substantial  that  Congress  defunded  the 
program. 

From  DARPA’s  perspective,  the  principal  concerns  raised  by  TIA  came  from  the 
programs  with  data  access,  data  search,  and  pattern  recognition  capabilities — namely, 
Genisys,  HELD,  SSNA,  MInDet,  HumanID,  ARM,  and  NGFR.  The  core  privacy  issues 
with  HumanID,  ARM,  and  NGFR  related  to  program  effectiveness  and  accuracy,  where 
and  when  the  technologies  would  be  deployed,  and  if  the  programs  would  analyze  stored 
surveillance  of  public  places.  These  concerns,  however,  were  secondary  to  those  created 
by  the  Genisys,  FEED,  SSNA,  and  MInDet  data  search  and  analysis  tools,  which  focused 
on  the  type  of  information  stored  in  the  programs’  databases.  i 

In  addition  to  program  specific  implications,  DARPA  also  identified  broad  level 
privacy  concerns.  Chief  among  these  were  access  to  sensitive  personal  information, 
access  to  aggregate  personal  information,  storing  personal  information,  unauthorized 
access  to  or  use  of  the  sensitive  information,  and  accuracy  of  the  personal  information, 
The  level  of  attention  given  to  privacy  concerns  and  DARPA’s  plan  for  addressing  them 
reflects  that  the  agency  was  serious  about  creating  protections  in  tandem  with  the  other 
technologies.  Its  development  of  tools  to  limit  searches  to  legally  authorized  results, 
provide  an  automated  audit  trail  of  searches  and  record  retrieval,  and  make  the  data 
anonymous  demonstrated  this  commitment.  1 These  tools  were  part  of  a  program  called 
Genisys  Privacy  Protection,  which  would  have  also  been  part  of  TIA.  1 

A  Department  of  Defense  IG  report  conducted  in  response  to  a  request  from 
Senators  Chuck  Grassley,  Bill  Nelson,  and  Chuck  Hagel  offers  another  perspective  on  the 
privacy  implications  of  TIA.  The  IG  report  identified  two  significant  privacy  concerns 
with  TIA  not  addressed  in  DARPA’s  analysis.  First,  DARPA  did  not  conduct  a  privacy 
impact  assessment  (PIA).  DARPA  defended  the  choice  not  to  conduct  a  PIA  based  on  its 
use  of  artificial  data  and  legally  obtained  intelligence;  this  type  of  information  did  not 
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require  an  assessment,  n*  While  the  IG  eoneeded  that  DARPA’s  argument  was 
teehnieally  eorreet,  it  nonetheless  eoneluded  that  “in  the  ease  of  TIA,  prudenee  would 
dietate  that  a  requirement  for  a  privaey  impaet  assessment  be  done  as  a  best  business 
praetiee.”ii9  The  IG’s  argument  foeused  on  three  eore  points:  when  aggregated,  the 
information  would  have  been  used  for  purposes  other  than  the  original  intent; 
development  of  TIA  teehnologies  oeeurred  simultaneously  with  its  transition  to 
operational  status;  TIA  would  have  been  used  for  domestie  law  enforeement  purposes.  120 
The  use  of  artifieial  data  was  irrelevant  beeause  the  intelligenee  teehnologies  were 
shifting  into  operational  status,  after  whieh  hypothetieal  privaey  issues  shifted  to  aetual 
privaey  violations.  The  other  signifieant  privaey  issue  addressed  by  the  IG  was  the  use  of 
Department  of  Defense  assets  for  domestie  purposes:  “the  use  of  TIA  by  law  enforeement 
is  what  has  eaused  the  greatest  publie  eoneem  over  privaey.”  121  The  fear  was  that  TIA 
ereated  a  substantial  inerease  in  government  power  preeisely  in  the  seetion  of  government 
with  law  enforeement  authority;  the  program  was  primed  for  abuse  and  misuse.  122 

One  noteworthy  privaey  eoneem  brought  up  in  publie  eritieism  of  TIA  was  the 
nature  of  the  information.  Allegations  of  Big  Brother,  dragnet  surveillanee  eame  out  of 
TIA’s  seope  of  eolleetion  as  well  as  the  type  of  information  it  would  use.  Identifying 
patterns  of  behavior,  monitoring  for  automatie  triggers  of  suspieious  behavior,  and 
similar  aetivities  mentioned  in  the  eapabilities  seetion  above  require  substantial  eolleetion 
of  and  aeeess  to  transaetional  data.  The  types  of  data  that  DARPA  would  have  used  under 
TIA  were  finaneial  reeords,  edueational  doeuments  and  information,  travel  aetivities, 
medieal  reeords,  transportation  history,  housing  information,  email  and  telephone 
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records,  credit  card  purchases,  and  countless  government  records.  123  Access  to  these 
transactional  records  would  have  resulted  in  making  available  to  intelligence  and  law 
enforcement  agencies  commercial  and  government  records  on  a  colossal  scale.  Permitting 
the  executive  branch  to  collect  and  access  this  personal  information  creates  a 
considerable  privacy  infringement.  Although  DARPA  argued  that  TIA  would  not  include 
dossiers  on  U.S.  citizens  nor  maintain  a  single  grand  database  of  all  U.S.  transactions,  124 
such  a  technical  distinction  was  immaterial.  DARPA  recognized  that  TIA  would  have 
eliminated  the  virtual  obscurity  of  having  personal  data  spread  throughout  different 
sources  and  formats  through  providing  almost  instantaneous  access  to  all  these  data.  1 25 
Rapid  access  to  various  sources  of  sensitive  personal  information  would  have  achieved 
the  same  functional  purpose  of  dossiers  but  in  the  form  of  search  results,  and  of  a  grand 
database  but  in  the  form  of  broad  access  to  multiple  databases.  It  is  therefore  necessary  to 
factor  in  privacy  concerns  derived  from  what  information  reveals  about  a  person  when 
aggregated  with  numerous  sources. 

C.  CONCLUSION 

The  Cold  War  era  CIA,  NSA,  and  FBI  intelligence  activities  as  well  as  the  post- 
9/1 1  TIA  subprograms  represented  unacceptable  infringements  on  privacy.  Society,  as 
the  stakeholder  in  privacy  interests,  rejected  certain  government  behavior  as  having  too 
high  of  a  cost.  It  is  not  to  say  that  every  national  security  program  must  have  the 
expressed  approval  of  the  people,  but  it  is  to  say  that  some  things  are  unacceptable. 
Measuring  privacy  costs  therefore  requires  applying  these  lessons  by  avoiding  the 
unacceptable  costs  and  working  toward  the  threshold  of  what  is  acceptable.  More  of  this 
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will  be  addressed  in  Chapter  IV.  What  suffiees  at  this  point  is  to  reeognize  that  there  are 
historically  founded  characteristics  of  inappropriate  government  behavior.  Before 
discerning  the  boundaries  on  privacy  costs,  it  is  first  necessary  to  address  the  second 
primary  factor  of  measuring  privacy  costs:  the  expectation  of  privacy.  Whereas  society’s 
standards  temper  government  action,  the  government’s  interest  in  protecting  society 
shapes  what  is  a  reasonable  expectation  of  privacy.  It  is  to  this  issue  that  this  thesis  now 
turns. 


31 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


32 


III.  EXPECTATION  OF  PRIVACY 


The  thesis  now  turns  to  the  second  of  the  two  primary  issues  that  affect  privacy 
costs:  an  expectation  of  privacy.  One  way  to  assess  privacy  costs  is  to  ascertain  if  a 
person  has  a  valid  privacy  interest  and  determine  if  a  surveillance  program  infringes  on 
that  interest.  This  interest  is  commonly  referred  to  as  an  expectation  of  privacy,  which  is 
based  on  a  person  exhibiting  a  subjective  expectation  of  privacy  and  society’s  willingness 
to  accept  that  expectation  as  reasonable.  ^26  Interpretations  of  what  satisfies  these  two 
standards  are  rooted  in  Supreme  Court  cases  from  the  1970s  and  have  become  outdated. 
The  changing  information  landscape  requires  a  shift  in  the  subjective  and  reasonable 
standards  of  privacy  in  order  to  fully  account  for  the  privacy  costs  of  modern  surveillance 
programs.  This  chapter  will  demonstrate  that  there  is  an  increase  in  personal  information 
available  to  surveillance  programs,  which  brings  with  it  significant  privacy  implications. 
It  will  conduct  a  brief  analysis  of  the  subjective  and  reasonable  standards  of  the 
expectations  of  privacy  followed  by  an  argument  for  how  the  pervasiveness  of 
technology  in  modem  society  challenges  traditional  interpretations  of  these  two 
conditions.  The  chapter  will  conclude  by  offering  new  standards  for  evaluating  a 
subjective  and  reasonable  expectation  of  privacy  that  will  result  in  a  more  accurate 
assessment  of  privacy  costs. 

A,  SUBJECTIVE  AND  REASONABLE  PRIVACY  STANDARDS 

The  Supreme  Court  developed  the  expectation  of  privacy  standards  as  a  way  to 
gauge  if  a  person  has  a  Fourth  Amendment  privacy  interest  that  protects  him  or  her 
against  unwarranted  domestic  surveillance.  Starting  in  Katz  versus  United  States,  the 
Court  applied  a  twofold  test  to  ascertain  if  a  person  has  a  valid  privacy  interest:  “first  that 
a  person  [has]  exhibited  an  actual  (subjective)  expectation  of  privacy  and,  second,  that 
the  expectation  be  one  that  society  is  prepared  to  recognize  as  ‘reasonable. a 
subjective  expectation  hinges  on  what  actions  a  person  takes  to  exhibit  his  or  her  intent  to 

^^^Katz  V.  United  States,  389  U.S.  347  (1967). 

Ibid. 
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maintain  privacy,  such  as  the  things  a  person  keeps  to  him  or  herself.  In  his  coneurring 
opinion  in  Katz,  Justice  John  Marshall  Harlan  II  argued  that  a  person  must  demonstrate 
an  intention  to  keep  objects,  activities,  or  statements  to  himself  in  order  to  claim  an 
expectation  of  privacy,  Similarly,  Justice  Byron  White  argued  that  the  intent  to 
preserve  privacy  is  reflected  by  a  person’s  efforts  to  exelude  the  uninvited  ear.  129  while 
these  actions  certainly  demonstrate  a  person’s  intent  to  keep  something  private,  the  effect 
is  to  substitute  seerecy  for  privaey.  Both  justiees  Harlan  and  White  maintained  that 
sharing  information  negates  a  subjective  expeetation  of  privaey.  i^o  This  interpretation  of 
what  eonstitutes  a  subjective  expectation  of  privacy  contradicts  the  fundamental  purpose 
of  the  Fourth  Amendment.  Constitutional  privacy  safeguards  are  designed  to  protect  a 
person  against  government  inference  in  his  or  her  life,  12 1  whieh  entails  substantially 
different  eonsiderations  than  the  burdensome  requirement  that  everyone  must  keep 
everything  secret.  Put  a  different  way,  it  is  not  that  a  person  has  a  right  to  keep  things 
secret;  it  is  that  he  or  she  is  free  from  unwarranted  government  intrusion.  The  problem 
with  demanding  seerecy  in  order  to  maintain  a  privaey  interest  is  it  erodes  privacy 
protections  by  setting  an  infeasible  requirement,  thereby  giving  the  government  access  to 
information  that  it  ean  argue  does  not  raise  privacy  costs  because  there  is  no  legitimate 
privaey  interest. 

A  valid  privacy  interest  requires  not  just  a  person  exhibiting  a  subjective 
expectation  of  privacy,  but  society  must  reeognize  it  as  reasonable.  The  most  influential 
interpretation  of  what  soeiety  will  aecept  as  a  reasonable  expectation  of  privacy  is  known 
as  the  third  party  doetrine.  The  doctrine  was  established  in  the  cases  Smith  versus 
Maryland  and  United  States  versus  Miller,  in  which  the  Supreme  Court  held  that  society 
rejects  an  expectation  of  privacy  when  a  person  voluntarily  provides  information  to  a 
third  party.  The  two  premises  of  the  Court’s  conclusion  were  that  voluntarily  providing 
information  to  a  third  party  does  not  exhibit  a  subjective  expectation  of  privacy  and  the 


Ibid. 

Ibid. 
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person  providing  the  information  aceepts  the  risk  that  it  will  be  given  to  the 
government.  132  One  problem  with  this  opinion  is  it  builds  upon  the  flawed  understanding 
of  privacy  as  secrecy  by  granting  the  government  unfettered  access  to  any  information  a 
person  divulges.  Another  problem  is  it  undermines  basic  freedoms  because  it  establishes 
that  a  person  must  isolate  herself  from  modern  society  in  order  to  maintain  her  privacy 
interest.  In  a  free  society,  however,  providing  information  to  another  party  during  routine 
societal  interactions  is  not  the  same  as  a  person  consenting  to  government  access  to  that 
information.  133  In  the  words  of  Justice  Marshall’s  dissenting  opinion  in  Smith:  “privacy 
is  not  a  discrete  commodity,  possessed  absolutely  or  not  at  all.  Those  who  disclose 
certain  facts  to  a  bank  or  phone  company  for  a  limited  business  purpose  need  not  assume 
that  this  information  will  be  released  to  other  persons  for  other  purposes.”  134  It  is 
unreasonable  for  society  to  align  its  standards  of  privacy  with  a  paranoid  expectation  that 
the  other  party  will  provide  any  and  all  information  to  the  government.  The  traditional 
application  of  the  reasonable  standard  results  in  the  categorical  rejection  of  valid  privacy 
interests  for  information  provided  to  third  parties,  which  unduly  decreases  privacy  costs 
associated  with  government  surveillance. 

While  this  thesis  agrees  in  principle  with  the  subjective  and  reasonable 
requirements  of  privacy,  it  disagrees  with  the  traditional  interpretations  and  applications 
explained  above.  The  strict,  burdensome  criteria  extend  the  threshold  for  establishing  a 
valid  a  privacy  interest  beyond  what  is  feasible  in  modern  society.  The  pervasiveness  of 
technology  in  America  today  presents  new  challenges  to  what  is  a  subjective  and 
reasonable  expectation  of  privacy.  In  United  States  versus  Jones,  Justice  Samuel  Alito 
noted  that  as  technology  progresses,  there  will  not  always  be  clear  analogies  between  the 
twenty-first  and  eighteenth  centuries.  135  The  role  of  various  technologies  in  routine 
societal  interactions  is  such  a  situation,  and  it  requires  a  new  way  of  interpreting  what 
constitute  subjective  and  reasonable  expectations  of  privacy. 

United  States  v.  Miller,  425  U.S.  435  (1976). 

Smith  V.  Maryland,  442  U.S.  735  (1979). 

Smith,  442  U.S.  735. 

United  States  v.  Jones,  132  S.  Ct.  945  (2012). 
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B. 


THE  PRIVACY  IMPLICATIONS  OF  TECHNOLOGY  IN  SOCIETY 


a.  More  Internet  Usage 

The  reach  of  technology  into  nearly  every  part  of  the  American  way  of  life  and 
the  amount  of  records  kept  by  both  people  and  organizations  has  important  privacy 
implications.  Some  of  the  most  basic  social  interactions,  such  as  working,  banking, 
shopping,  commuting,  and  communicating,  now  have  a  cyber  element.  Recent  statistics 
put  the  amount  of  Americans  with  Internet  access  at  86  percent  of  the  population.  1 3®  The 
level  of  use  alone  reflects  the  pervasiveness  of  the  Internet  in  society.  When  the  types  of 
online  activities  are  taken  into  account,  the  role  of  technology  in  the  performance  of 
routine  social  interactions  becomes  apparent  (Table  1). 


136“intemet  User  Demographics,”  Pew  Research  Center,  accessed  February  8,  2014, 
http://www.pewinternet.org/data-trend/intemet-use/latest-stats/;  Center  for  the  Digital  Future,  The  2013 
Digital  Future  Report:  Surveying  the  Digital  Future,  Los  Angeles,  CA:  University  of  Southern  California, 
2013,15, 

http://www.worldintemetproiect.net/  Fdes/  Published/  oldis/713  2013  digital  future  report  usa.pdf 
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Have  Used  the  Internet  To: 

Percentage  of 
Internet  Users 

Find  information  through  a  search  engine 

91 

Send  or  receive  email 

88 

Search  a  map  or  get  driving  directions 

84 

Read  the  news 

78 

Research  health  information 

72 

Look  for  information  on  a  local,  state,  or 
federal  government  website 

67 

Social  networking 

67 

Make  travel  reservations  or  purchases 

65 

Purchase  books 

63 

Read  political  news  or  information 

61 

Conduct  online  banking 

61 

Look  for  religious  information 

32 

Table  1.  U.S.  Internet  Usage ^37 


b.  More  Participants  and  Data 

Most  of  the  traditional  ways  of  carrying  out  social  interactions  included  just  two 
parties.  For  example,  purchasing  a  book  used  to  be  between  a  person  and  a  bookstore, 
buying  an  airline  ticket  between  a  person  and  an  airline,  and  banking  between  a  person 
and  the  bank.  Conducting  these  activities  over  the  Internet,  however,  increases  the 
number  of  participants  for  any  given  exchange.  A  routine  interaction  would  now 
reasonably  include  the  person,  the  Internet  service  provider,  a  search  engine,  the 
company  that  builds  or  maintains  the  website,  and  the  company  or  organization  with 
whom  the  person  intends  to  interact.  These  participants  may  keep  records  on  the  person 
and  his  or  her  activity.  Thus,  with  the  increase  in  participants  in  ordinary  transactions  has 
also  come  an  increase  in  data  creation.  An  estimated  98  percent  of  stored  information  was 
digital  as  of  2013  and  technological  improvements  have  simultaneously  amplified 


137  “Trend  Data  (Adults),”  Pew  Research  Center,  accessed  February  8,  2014, 
http://www.pewintemet.org/Trend-Data-(Adults)/Online-Activites-Total.aspx:  “Pew  Internet:  Health,” 
Susannah  Fox,  Pew  Research  Center,  December  16,  2013, 

http://www.pewintemet.org/Commentarv/201 1/November/Pew-Intemet-Health.aspx;  Center  for  the  Digital 
Future,  The  2013  Digital  Future  Report,  16. 
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information  access,  storage,  sharing,  and  analysis  capabilities.  138  Traditional 
interpretations  of  the  subjective  and  reasonable  expectations  of  privacy  deny  that  a  person 
has  a  valid  privacy  interest  in  any  of  these  interactions  or  any  of  the  information. 

There  are  also  the  hidden,  less  known  participants  that  constantly  track  online 
activity.  Data  brokers  surreptitiously  eollect  and  aggregate  data  pertaining  to  a  person’s 
online  activity,  which  they  then  use  to  create  detailed  dossiers  about  him  or  her.  139 
Companies  like  Acxiom,  Epsilon,  Reed  Elsevier,  and  Datalogix  each  maintain  data  on 
millions  of  Americans.  I'm  One  of  the  primary  methods  these  companies  use  to  track  a 
person’s  behavior  is  through  websites,  but  tracking  can  also  occur  through  mobile 
devices.  1^1  This  traeking  oceurs  mostly  unknown  because  it  requires  no  deliberate 
consent  by  the  user,  the  technology  is  embedded  in  the  websites,  and  it  uses  the  unique 
identifiers  associated  with  a  person’s  devioe.i"!^  When  someone  uses  the  Internet  to  read 
the  news,  make  travel  reservations,  and  do  online  banking,  his  or  her  activity  is  tracked 
aeross  multiple  websites.  Eor  example,  the  Doubleclick  tracking  tool  monitors  users’ 
behavior  on  websites  belonging  to  Bank  of  America,  Delta  airlines.  Enterprise  and  Hertz 
rental  car,  Hilton  hotel,  CNN,  Eox  News,  and  the  Washington  Post.  1^3  Similarly, 
Omniture  tracks  activity  on  Bank  of  America,  Citi  Bank,  JP  Morgan,  Budget  rental  car. 


138  u.S.  Senate,  Committee  on  Commerce,  Science,  and  Transportation,  Office  of  Oversight  and 
Investigations,  A  Review  of  the  Data  Broker  Industry:  Collection,  Use,  and  Sale  of  Consumer  Data  for 
Marketing  Purposes,  December  18,  2013,  1. 

139  Ibid.,  i,5,36. 

140  Ibid.,  10,12. 

141  Ibid.,  10,31. 

142  Ibid.,  4,31. 

143  Bank  of  America  homepage,  accessed  February  7,  2014,  https://www.bankofamerica.com/:  Delta 
homepage,  accessed  February  7,  2014,  http://www.delta.com/;  Enterprise  homepage,  accessed  February  7, 
2014,  http://www.enterprise.com/car  rental/ho  me.  do;  Hertz  homepage,  accessed  February  7,  2014, 
https://www.hertz.com/rentacar/reservation/;  Hilton  homepage,  accessed  February  7,  2014, 
http://www3.hilton.com/en/index.html;  CNN  homepage,  accessed  February  7,  2014,  http://www.cnn.com/; 
Fox  News  homepage,  accessed  February  7,  2014,  http://www.foxnews.com/;  Washington  Post  homepage, 
accessed  February  7,  2014,  http://www.washingtonpost.com/. 
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Marriott  hotel,  BBC  News,  Fox  News,  and  the  Washington  Post.  1^4  eompanies  that 
own  these  traekers  partner  together  and  share  the  information  colleeted.  Thus,  even  if 
a  speeifie  tool  sueh  as  Omniture  does  not  traek  a  user’s  aetivity  aeross  all  websites, 
partnership  signifieantly  inerease  its  aeeess  to  information.  The  assoeiated  business 
reeords  about  a  person’s  aetivities  would  be  outside  of  the  traditional  applieation  of  the 
reasonable  privaey  expeetation  of  privaey  standard,  even  though  a  person  did  not 
voluntarily  provide  this  information. 

c.  More  Personal 

The  information  in  business  reeords  that  pertain  to  online  aetivity  ean  be  highly 
personal.  Today,  these  reeords  reveal  a  signifieant  amount  of  private  details,  sueh  as  a 
person’s  habits,  preferenees,  and  finaneial  and  health  status.!^®  By  traeking  routine 
aetivities,  eompanies  are  able  to  paint  an  aeeurate  profile  of  the  user.  Bluekai,  for 
example,  elaims:  “plaee  our  pixel  on  any  page  to  analyze  ineoming  traffie  [and]  diseover 
the  preeise  aggregate  profile  of  any  site  visitor.”  1^7  Although  this  statement  seems  more 
ambition  than  reality,  the  amount  of  data  that  eaeh  of  the  hundreds  of  eompanies  track 
and  the  level  of  sharing  that  occurs  through  partnerships  makes  the  precise  profiling  of 
users  feasible.  Acxiom’s  consumer  profiles  demonstrate  this  point.  Acxiom  requires  a 
user  to  enter  his  first  and  last  name,  full  address,  date  of  birth,  last  four  digits  of  his  social 
security  number,  and  an  email  address  in  order  to  see  some  of  the  information  it  has  on 


Bank  of  America  homepage,  accessed  February  7,  2014,  https://www.bankofamerica.com/;  Citi 
Bank  homepage,  accessed  February  7,  2014,  https://online.citibank.eom/US/Welcome.c;  J.P.  Morgan 
homepage,  accessed  February  7,  2014,  https://www.ipmorgan.cotn/pages/ipmorgan;  Budget  homepage, 
accessed  February  7,  2014,  http://www.budget.cotn/budgetWeb/home/home.ex;  Marriott  homepage, 
accessed  February  7,  2014,  http://www.tnarriott.cotn/default.tni;  BBC  News,  accessed  February  7,  2014, 
http://www.bbc.com/news/;  Fox  News  homepage,  accessed  February  7,  2014,  http://www.foxnews.cotn/; 
Washington  Post  homepage,  accessed  February  7,  2014,  http://www.washingtonpost.cotn/. 

145  “Partners,”  Foresee,  accessed  on  March  1,  2014,  http://www.foresee.com/companv/partners.shttnl; 
“Webtrends  Partners,”  Webtrends,  accessed  on  March  1,  2014,  https://webtrends.com/partners/webtrends- 
partners;  “Partner  Program,”  Bluekai,  accessed  on  March  1,  2014,  http://bluekai.com/customers.php: 
“Technology  Partners,”  Brightcove,  accessed  on  March  1,  2014, 
http://www.brightcove.cotn/en/partners/technologv-partners. 

146  Senate  Committee  on  Commerce,  A  Review  of  the  Data  Broker  Industry,  i,2. 

147  Bluekai,  “Little  Blue  Book:  A  Buyer’s  Guide,”  Bluekai,  February  2014,  5, 
http://bluekai.com/bluebook/bluekai-little-blue-book.pdf 
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him.  148  xhe  requirement  to  use  personally  identifiable  information  in  order  to  see  part  of 
a  digital  dossier  makes  it  evident  that  the  traeking  is  preeise;  it  is  personal. 

Two  examples  demonstrate  what  even  limited  data  points  reveal  about  a  person. 
One  of  those  sourees  of  information  is  soeial  network  sites.  WolframAlpha  provides  a 
detailed  analysis  about  a  person’s  life  simply  by  aceessing  the  metadata  assoeiated  with 
his  or  her  Faeebook  aeeount.  Its  Personal  Analyties  produet  will  ealeulate  a  user’s 
aetivity  patterns,  to  include  when  a  person  is  active  for  a  given  day  of  the  week,  what  he 
or  she  is  doing,  such  as  posting  photos  or  making  comments,  and  if  the  connection  occurs 
through  a  mobile  device.  149  It  will  also  diagram  the  social  structure  of  a  person’s  friends 
(Figure  1),  identify  who  among  them  plays  a  special  role,  and  provide  a  geographic 
layout  of  where  those  friends  are  in  the  world  (Figure  2).  i^o 


148  “Who  Are  you?,”  Acxiom,  accessed  on  March  1,  2014,  https://aboutthedata.cotn/portal. 

149  “Personal  Analytics  for  Faeebook,”  WolframAlpha,  accessed  on  March  1,  2014, 
http://www.wolframalpha.coin/facebook/. 

l^H  Ibid. 

1^1  Figure  taken  from  “Personal  Analytics  for  Faeebook,”  WolframAlpha, 
http://www.wolframalpha.com/facebook/. 
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Figure  2.  WolframAlpha  Friend  Loeation  Analysis  1^2 


Another  souree  that  has  few  details  but  still  reveals  significant  personal 
information  is  email  metadata.  The  Massachusetts  Institute  of  Technology  (MIT) 
Immersion  tool  analyzes  a  person’s  social  network  based  solely  on  the  metadata  in  his  or 
her  emails — the  From,  To,  CC,  and  timestamp.  1^3  Based  on  the  analysis  of  these  simple 
data  points.  Immersion  will  show  who  a  person  communicates  with  most,  the  social 
network  links  between  the  contacts,  how  far  back  the  communication  history  goes 
(Figure  3).  1^4 


152  Figure  taken  from  “Personal  Analytics  for  Facebook,”  WolframAlpha, 
http://www.wolframalpha.com/facebook/. 

1^3  “Immersion:  A  People-Centric  View  of  Your  Email  Life,”  Massachusetts  Institute  of  Technology 
(MIT),  accessed  on  March  1,  2014,  https://immersion.media.mit.edu. 

154  “Will  Hunting”  [Demo],  MIT,  accessed  on  March  1,  2014,  https://immersion.media.mit.edu/demo. 
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Figure  3.  MIT  Immersion  Email  Analysis 


Combining  the  soeial  network  and  email  analysis  tools  would  reveal  even  more 
personal  information,  let  alone  adding  sourees  of  travel,  banking,  and  phone  reeords  or 
sources  that  track  online  activity.  Providing  the  government  unrestrained  access  to 
personal  information  is  extremely  worrisome  from  a  privacy  perspective,  yet  that  is 
exactly  what  results  from  traditional  interpretations  of  the  subjective  and  reasonable 
expectations  of  privacy.  Thus,  even  if  the  government  does  not  collect  this  data  on 
Americans  or  create  dossiers,  it  can  access  commercial  equivalents  without  a  warrant. 

C.  CONCLUSION 

One  way  to  identify  privacy  costs  is  to  assess  the  presence  of  a  legitimate  privacy 
interest.  Establishing  that  such  an  interest  exists  relies  on  the  two  Eourth  Amendment 
privacy  standards:  a  subjective  expectation  by  the  individual  and  society’s  willingness  to 
recognize  that  expectation  as  reasonable.  This  chapter  argued  that  the  traditional 
interpretations  of  these  two  standards  have  been  insufficient,  particularly  in  the  context  of 
routine  interaction  in  modem  society.  The  role  of  technology  in  society  presents  a 
significant  challenge  because  traditional  interpretations  would  authorize  government 
access  to  a  wealth  of  personal  information  derived  from  routine  social  interactions  and 
that  reveals  extremely  private  details.  The  Eourth  Amendment  protects  a  person’s  privacy 

155 


Figure  taken  from  “Will  Hunting”  [Demo],  MIT,  https://imiuersion.media.mit.edu/demo. 
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from  government  incursion,  but  allowing  the  government  free  access  to  this  information 
is  in  and  of  itself  an  incursion.  The  Court  has  challenged  the  traditional  interpretations 
precisely  for  this  reason.  While  addressing  the  privacy  implications  of  the  third  party 
doctrine  in  modern  society,  Justice  Sonia  Sotomayor  argued: 

This  approach  is  ill  suited  to  the  digital  age,  in  which  people  reveal  a  great 
deal  of  information  about  themselves  to  third  parties  in  the  course  of 
carrying  out  mundane  tasks.  People  disclose  the  phone  numbers  that  they 
dial  or  text  to  their  cellular  providers;  the  URLs  that  they  visit  and  the 
email  addresses  with  which  they  correspond  to  their  Internet  service 
providers;  and  the  books,  groceries,  and  medications  they  purchase  to 
online  retailers.  ...  I  for  one  doubt  that  people  would  accept  without 
complaint  the  warrantless  disclosure  to  the  Government  of  a  list  of  every 
website  they  had  visited  in  the  last  week,  or  month,  or  year.  But  whatever 
the  societal  expectations,  they  can  attain  constitutionally  protected  status 
only  if  our  Fourth  Amendment  jurisprudence  ceases  to  treat  secrecy  as  a 
prerequisite  for  privacy.  I  would  not  assume  that  all  information 
voluntarily  disclosed  to  some  member  of  the  public  for  a  limited  purpose 
is,  for  that  reason  alone,  disentitled  to  Fourth  Amendment  protection.  1^6 

The  purpose  of  the  Fourth  Amendment  is  to  ensure  the  same  level  of  privacy  protections 
for  Americans  throughout  time.^^^  In  order  to  do  this,  there  needs  to  be  updated 
standards  of  the  subjective  and  reasonable  expectations  of  privacy. 

A  proper  understanding  of  these  two  criteria  is  crucially  important  because  it  can 
skew  the  balance  between  privacy  and  security:  if  privacy  standards  are  too  strict,  it  will 
undervalue  privacy  costs  while  if  the  standards  are  too  loose,  then  it  will  overvalue 
privacy  costs.  This  thesis  interprets  the  subjective  and  reasonable  standards  to  mean  the 
following.  First,  a  person  exhibits  a  subjective  expectation  of  privacy  by  deliberately 
limiting  the  value  and  quantity  of  the  objects,  activities,  or  statements  he  or  she  shares 
with  others  and  by  restricting  the  number  of  people  with  whom  he  or  she  shares  these 
things.  Second,  a  reasonable  expectation  of  privacy  accounts  for  the  pervasiveness  of 
technology  in  society,  particularly  in  regards  to  conducting  routine  social  behaviors, 
surreptitious  collection  of  personal  information,  and  the  level  of  detail  in  business 
records.  These  standards  better  capture  a  person’s  expectation  of  privacy,  which  makes 


156  Jones,  132  S.  Ct.  945  (2012). 

157  Ibid. 
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the  overall  privaey  interest  more  refleetive  of  actual  concerns  over  privacy  infringements. 
With  these  two  fundamental  components  of  the  expectation  of  privacy  established,  the 
thesis  will  now  address  how  to  evaluate  the  collective  privacy  costs  of  a  surveillance 
program. 
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IV.  HOW  TO  MEASURE  PRIVACY  COSTS 


The  analysis  in  the  previous  ehapters  established  the  elements  of  privacy  costs. 
Chapter  II  demonstrated  how  aspects  of  intelligence  programs  that  defy  Americans’ 
expectations  for  government  behavior  can  create  privacy  concerns.  Chapter  III  delineated 
standards  for  a  subjective  and  reasonable  expectation  of  privacy  against  which 
government  activities  cannot  infringe  without  generating  privacy  concerns.  Taken  as  a 
whole,  the  factors  identified  in  both  chapters  provide  the  basis  for  measuring  privacy 
costs.  This  chapter  will  turn  those  elements  into  a  model  for  measuring  the  overall 
privacy  costs  of  an  intelligence  program.  The  two  principal  components  of  this  model  are 
the  primary  and  comprehensive  assessments. 

A,  PRIMARY  ASSESSMENT 

Measuring  privacy  costs  of  an  intelligence  program  starts  with  an  analysis  of  the 
core  privacy  elements  identified  in  the  previous  chapters.  This  examination  first 
determines  whether  these  elements  apply  to  an  intelligence  program.  Next,  it  evaluates 
what  effect  the  presence  or  absence  of  that  element  has  on  privacy  costs.  For  example,  if 
an  intelligence  program  collects  personal  information,  then  there  is  a  legitimate  privacy 
concern,  which  increases  the  privacy  costs.  Some  factors  decrease  the  overall  cost  by 
accounting  for  privacy  concerns  or  protecting  against  abuse.  If  an  intelligence  program 
applies  technology  that  makes  information  anonymous,  for  example,  then  it  minimizes 
the  possibility  of  the  government  abusing  that  personal  information.  On  the  other  hand, 
the  absence  of  mitigating  tools  or  procedures  increases  privacy  costs.  For  instance,  if 
limiting  the  number  of  analysts  who  can  access  sources  of  personal  information  lessens 
the  potential  for  abuse  by  intelligence  agencies,  then  the  absence  of  this  feature  increases 
the  possibility  for  abuse  and  thus  raises  the  associated  privacy  cost. 

The  Privacy  Concerns  and  Safeguards  Matrix  in  Figure  4  is  the  tool  for 
conducting  the  primary  assessment.  As  shown  in  the  matrix,  privacy  cost  elements  fall 
into  two  categories:  those  that  establish  privacy  concerns  and  those  that  act  as  privacy 
safeguards.  Each  factor  increases  or  decreases  privacy  costs  according  to  the  following 
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general  rules.  The  presence  of  privacy  concerns  or  the  absence  of  safeguards  increases 
privacy  costs.  If  a  program  has  safeguards,  then  privacy  costs  decrease.  The  absence  of  a 
privacy  concern  neither  increases  nor  decreases  costs.  For  example,  a  primary  assessment 
of  the  Cold  War  FBI  programs  reviewed  in  Chapter  II  would  result  in  the  matrix  in 
Figure  5.  The  comprehensive  analysis  provides  meaning  to  these  costs 


Primary  Assessment 

Privacy  Concerns 

Yes  or  No  |  Privacy  Safeguards 

Yes  or  No 

Program  collects  or  accesses  personal 
information: 

Parties  responsible  conducted  a  privacy 
inp  ac  t 

Yes  =  Mitigates  privacy  concerns  and 
decreases  privacy  cost 

Information  collected  or  accessed  is 
being  used  for  other  than  intended 
purpose: 

No:  Does  not  support  the  presence  of  a 
valid  privacy  interest 

Shaiing  of  intelligence  products  derived 
from  personal  information  is  limited: 

Information  foils  under  a  subjective 
expectation  of  privacy: 

Access  to  personal  infomiation  is 
restricted: 

Society  recognizes  the  expectation  of 
privacy  as  reasonable: 

Program  is  subject  to  Executive 
oversight: 

Information  collected  or  accessed  is 
derived  from  activities  protected  under 
the  First  Amendment: 

Program  is  subject  to  Congressional 
oversight: 

Program  is  subject  to  Judicial  oversight: 

Accountability  mechanisms  enable  the 
auditing  of  access  to  and  use  of  personal 
information; 

The  information  is  made  anonymous: 

Figure  4.  Privacy  Concerns  and  Safeguards  Matrix 
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FBI  Cold  War  Programs 

Privacy  Concerns 


Progi'am  collects  or  accesses  pereonal 
information: 

Information  collected  or  accessed  is 
being  used  for  other  tlian  intended 
purpose: 

Information  fells  under  a  subjective 
expectation  of  privacy: 


Society  recogni^s  the  expectation  of 
privacy  as  reasonable: 

Information  collected  or  accessed  is 
derived  from  activities  protected  under 
the  First  Amendment: 


Privacy  Safeguards 


Parties  responsible  conducted  a  privacy 
inpact  assessment: 

Sharing  of  intelligence  products  derived 
from  personal  information  is  limited: 

Access  to  personal  information  is 
restricted: 

Program  is  subject  to  Executive 
oversight: 

Program  is  subject  to  Congressional 
oversi^t: 


Program  is  subject  to  Judicial  oversiglit: 


Accountability  n^chanisms  enable  the 
auditing  ofaccess  to  and  use  of  personal 
information: 


Tlie  infoimation  is  made  anonymous: 


Figure  5.  FBI  Cold  War  Programsi^^ 


B,  COMPREHENSIVE  ASSESSMENT 

The  objective  of  comprehensive  assessment  is  to  capture  the  overall  costs 
associated  with  an  intelligence  program  in  order  to  inform  the  debate  between  security 
and  liberty.  It  attempts  to  answer  the  questions:  what  are  the  privacy  costs  and  are  these 
costs  acceptable?  Based  on  the  results  of  the  primary  assessment,  the  comprehensive 
analysis  contextualizes  the  overall  concerns  raised  by  a  program,  identifies  any 
deficiencies  in  the  program,  and  assesses  what  has  the  most  negative  effect  on  the  overall 
privacy  costs.  For  example,  if  the  intelligence  program’s  only  source  of  information 
derives  from  First  Amendment  protected  activities,  there  are  no  other  privacy  concerns 
implicated,  and  all  the  safeguards  are  in  place  except  for  Congressional  and  Judicial 
oversight  the  comprehensive  assessment  would  be  as  follows.  In  this  example,  the  overall 
concerns  are  related  to  the  privacy  factors  with  the  most  negative  effect:  the  Executive 
branch  would  be  unchecked  by  other  branches  of  the  government  while  it  infringed  on 
the  privacy  of  Americans  participating  in  free  speech,  religion,  or  political  expression. 
The  significant  shortfall  would  be  the  lack  of  Congressional  and  Judicial  oversight.  The 


This  figure  uses  the  information  about  FBI  surveillance  programs  detailed  in  Chapter  II. 
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comprehensive  assessment  provides  this  level  of  analysis  to  the  overall  privaey  costs 
(Figure  6). 


Comprehensive  Assessment 

Overall  Concerns: 

While  this  program  does  not  invoke  many  of  the  privacy  concerns  and  has  numerous  safeguards,  the 
particular  combination  of  targeting  First  Amendment  protected  activities  without  Congressional  or 
Judicial  oversight  is  troublesome. 

Shorlfalls: 

Lack  of  Congrc.ssional  and  Judicial  oversight 

Most  Negative  KITeet: 

Executive  branch  would  be  unchecked  by  other  branches  of  the  government  while  it  infringed  on  the 
privacy  of  Americans  exercising  free  speech,  religion,  or  political  expression 

Figure  6.  Example  Comprehensive  Assessment 


Acceptability,  the  second  element  that  the  comprehensive  analysis  addresses,  is 
not  a  normative  judgment  about  the  ultimate  eosts  assoeiated  with  an  intelligence 
program.  Instead,  it  is  a  subjective  representation  of  the  public’s  tolerance  for  intelligenee 
tools,  lack  of  safeguards,  or  the  reach  of  a  program.  Acceptability  eontextualizes  a 
program’s  privaey  eoncerns  by  indicating  which  concerns  are  higher  priorities  or  where 
the  scope  of  the  program  falls  in  relation  to  public  tolerance.  Determining  a  subjeetive 
acceptance  level  requires  eomparing  the  seope  of  the  intelligenee  program — measured  in 
both  the  number  of  total  people  affected  and  the  number  of  Amerieans  affeeted — ^with 
publie  opinion.  For  example,  the  TIA  program  would  have  had  unlimited  aceess  to  eredit 
card  transactions,  which  would  have  affeeted  every  Ameriean  with  a  eredit  eard  at  the 
time.  Would  the  government  colleeting  and  accessing  data  on  the  credit  eard 
transaetions  of  over  159  million  Americans  have  been  within  the  threshold  of  public 
tolerance  in  2002?  Aeeording  to  publie  opinion  in  2002,  43  percent  of  Americans 
approved  of  the  government  aceessing  eredit  eard  reeords.  The  pereentage  of 
Amerieans  that  would  have  been  affected,  however,  would  have  been  higher  than  the 
pereentage  of  those  who  approved  (Figure  7).  Consequently,  the  seope  of  the  program 

The  TIA  capabilities  are  detailed  in  Chapter  II. 

U.S.  Department  of  Commerce,  Bureau  of  the  Census,  Statistical  Abstract  of  the  United  States, 
2012  (Washington,  DC:  Government  Printing  Office,  2012),  table  1188. 

“Balancing  Act:  National  Security  and  Civil  Liberties  in  Post-9/1 1  Era,”  Carroll  Doherty,  Pew 
Research  Center,  June  7,  2013,  http://www.pewresearch.org/fact-tank/2013/06/07/balancing-act-national- 
security-and -civil-liberties-in-post-9 1 1  -era/. 
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would  have  been  subjectively  unacceptable,  thus  increasing  the  privacy  costs.  Although 
public  opinion  is  not  an  authoritative  gauge  for  the  acceptability  of  an  intelligence 
program,  it  nonetheless  puts  the  concerns  into  context — ^which  either  subjectively 
increases  or  decreases  the  privacy  costs. 


Figure  7.  Example  of  Acceptability  Analysis 


C.  CONCLUSION 

Measuring  privacy  costs  requires  a  primary  analysis  that  determines  whether  a 
certain  privacy  concern  applies  to  an  intelligence  program  and  then  assesses  a  positive  or 
negative  privacy  cost.  The  comprehensive  assessment  builds  off  the  primary  evaluation 
and  determines  what  the  overall  costs  are  for  a  given  program.  This  requires  an 
examination  of  the  cumulative  results  of  the  primary  analysis  to  identify  the  overall 
concerns  raised  by  a  program,  its  shortfalls,  and  which  areas  have  the  most  negative 
effects  on  the  program’s  privacy  costs.  The  comprehensive  assessment  also  addresses  the 
acceptability  of  the  privacy  concerns,  which  puts  the  overall  costs  into  context. 

There  are  limitations  to  measuring  privacy  costs.  Alternative  options  such  as  a 
scoring  system  would  be  insufficient  because  measuring  privacy  costs  is  not  amenable  to 

162  Ibid.;  Bureau  of  the  Census,  Statistical  Abstract,  table  1188;  Bureau  of  the  Census,  Population 
Estimates:  Annual  Resident  Population  Estimates  of  the  United  States  by  Age  and  Sex  (Washington,  DC: 
Government  Printing  Office,  2002). 
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quantitative  analysis.  Assigning  numerical  values  to  privacy  concerns  runs  the  risk  of 
devaluing  legitimate  privacy  interests.  That  an  American  has  a  subjective  and  reasonable 
expectation  of  privacy  is  just  as  valid  of  an  interest  as  the  right  to  participate  in  First 
Amendment  protected  activities  free  from  government  surveillance.  One  concern  should 
not  be  valued  more  than  the  other;  the  real  value  is  simply  that  a  privacy  concern  exists. 
Moreover,  safeguards  can  minimize  risks,  but  these  cannot  negate  the  presence  of  a 
legitimate  privacy  concern.  That  an  analyst  does  not  know  to  whom  the  information 
pertains  because  it  is  anonymous  does  not  annul  the  privacy  concern  created  by  the 
government  collecting  personal  information.  The  purpose  of  measuring  privacy  costs  is  to 
inform  what  is  at  stake;  it  is  not  the  role  of  arbitrary  numbers  to  determine  what  is  a  high, 
low,  or  worthwhile  privacy  cost.  That  decision  is  left  to  society  as  it  balances  between 
security  and  liberty. 
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D 


PRIVACY  COSTS  ASSESSEMENT  FORM 


Primary  Assessment 


Privacy  Concerns 

Yes  or  No  |  Privacy  Safeguards 

Yes  or  No 

Program  coDects  or  accesses  personal 
infomiation: 

Parties  responsible  a  privacy 

inpact 

Yes  =  Mitigates  privacy  concerns  and 
decreases  privacy  cost 

Information  collected  or  accessed  is 
being  used  for  other  than  intended 
purpose: 

No:  Docs  not  support  the  presence  of  a 
valid  privacy  interest 

Sharing  of  intelligence  products  derived 
from  personal  information  is  limited: 

Information  fells  under  a  subjective 
expectation  of  privacy: 

Access  to  personal  information  is 
restricted: 

Society  recognizes  the  expectation  of 
privacy  as  reasonable: 

Program  is  subject  to  Executive 
oversight: 

Information  collected  or  accessed  is 
derived  from  activities  protected  under 
the  First  Amendment: 

Program  is  subject  to  Congressbnal 
oversiglit: 

Program  is  subject  to  Judicial  oversight: 

Accountability  mechanisms  enable  the 
auditing  of  access  to  and  use  of  personal 
information: 

The  infoimation  is  made  anonymous: 

Comprehensive  Assessment 


Overall  Concerns: 


Shortfalls: 


Most  Negative  Effect: 


Indicators  of  Acceptability 


Figure  8.  Privacy  Costs  Assessment  Form 
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V.  MEASURING  PRIVACY  COSTS  OF  A  MODERN 
INTELLIGENCE  PROGRAM 


One  of  the  most  eontroversial  domestie  surveillanee  programs  in  modern  times  is 
an  NSA  program  that  eolleets  business  reeord  (BR)  metadata  in  bulk  under  Seetion  215 
authorities  of  the  Patriot  Act.  1^3  a  vast  majority  of  these  records  pertains  to 
communications  of  U.S.  persons  within  the  United  States.  NSA  BR  metadata 

program  has  consequently  received  heavy  criticism  for  infringing  on  Americans’  privacy, 
which  has  generated  numerous  calls  for  reform  by  some  members  of  Congress  and  the 
public.  On  the  other  side  of  the  issue  are  people  who  argue  that  the  program  is  an 
effective  counterterrorism  tool.  The  debate  is  essentially  between  security  and  liberty,  but 
that  conversation  is  uninformed  until  those  involved  know  what  the  privacy  costs  are. 
This  chapter  will  take  the  method  for  measuring  privacy  costs  outlined  in  Chapter  IV  and 
apply  it  to  the  NSA  BR  metadata  program.  A  majority  of  the  chapter  will  focus  on  the 
primary  and  comprehensive  assessments  of  the  overall  privacy  costs.  It  will  conclude 
with  an  evaluation  of  recent  changes  to  intelligence  practices  and  determine  what  effect 
these  reforms  will  have  on  the  privacy  costs  associated  with  the  BR  metadata  program. 

A.  PRIMARY  ASSESSMENT 

1.  Privacy  Concerns 

This  section  will  measure  the  privacy  concerns  of  the  BR  metadata  program  in 
accordance  with  the  method  established  in  Chapter  IV.  Specifically,  it  will  determine  if 
the  program  uses  information  for  other  than  its  originally  intended  purpose,  uses  personal 
information,  infringes  on  an  expectation  of  privacy,  or  targets  First  Amendment  protected 
activities. 


1^3  U.S.  Department  of  Justice,  Office  of  Intelligence,  National  Security  Division  (NSD),  Report  on 
the  National  Security  Agency ’s  Bulk  Collection  Programs  Affected  by  USA  PATRIOT  Reauthorization, 
February  2,  201 1,1;  NSD,  Report  on  the  National  Security  Agency’s  Bulk  Collection  Programs  Affected  by 
USA  PATRIOT  Reauthorization,  December  14,  2009,  3. 

164  Foreign  Intelligence  Surveillance  Court  (FISC),  Supplemental  Opinion  and  Order,  Docket 
Number:  BR  09-15,  November  5,  2009,  5. 
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a.  Using  Information  for  Another  Purpose 

The  first  question  to  answer  is:  does  the  NSA  BR  program  use  information  for 
something  other  than  the  original  purpose  of  that  information?  Under  the  BR  program, 
the  NSA  eollects  bulk  metadata  from  U.S.  teleeommunications  providers,  It  obtain 
this  information  from  teleeommunieations  eompanies  by  providing  a  eourt  order  that 
requires  them  to  produee  business  reeords  on  nearly  all  the  telephone  ealls  eaeh  one 
handles  both  in  and  out  of  the  eountry  as  well  as  ealls  made  entirely  within  the  United 
States.  It  then  uses  this  information  to  eonduet  eall  ehaining,  whieh  is  a  form  of 
intelligenee  analysis,  Thus,  the  program  takes  information  from  teleoommunieation 
eompanies  originally  intended  for  the  limited  purposes  of  establishing  a  eontraetual 
relationship  and  maintaining  billing  reeords  and  uses  it  to  analyze  a  person’s 
eommunication  habits  and  eontaets.  The  BR  program  clearly  uses  metadata  for  a  purpose 
other  than  those  the  companies  and  customers  originally  intended. 

b.  Personal  Information 

The  second  question  to  answer  is:  does  the  NSA  BR  program  collect  or  access 
personal  information?  This  question  is  difficult  to  answer.  On  the  one  hand,  the  data  is 
intentionally  stripped  of  personal  information.  It  does  not  collect  the  content  of 
communications  or  the  name,  address,  or  financial  information  of  a  subscriber, 
Instead,  the  BR  program  collects  the  following  types  of  information: 

•  Telephone  numbers 

•  Times  of  communication 

•  Dates  of  communication 

NSD,  Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2009,  2. 

166  Ibid.,  3. 

167  NSD,  Memorandum  of  the  United  States  in  Response  to  the  Court’s  Order  Dated  January  28, 

2009,  Docket  Number:  BR  08-13,  February  17,  2009,  3. 

168  Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2009,  3,5;  NSD, 

Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2011,  5;  FISC,  Primary  Order, 

Docket  Number:  BR  13-80,  April  25,  2013,  3;  FISC,  Order,  Docket  Number:  BR  06-05,  May  24,  2006,  2. 

169  NSD,  Report  on  the  National  Security  Agency’s  Bulk  Collection  Programs,  2009,  3,5;  NSD, 
Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2011,  5;  FISC,  Primary  Order,  BR 
13-80,  2013,  3;  FISC,  Order,  BR  06-05,  2006,  2. 
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•  Duration  of  a  call 

•  International  Mobile  Subseriber  Identity  (IMSI)  number 

•  International  Mobile  station  Equipment  Identity  (IMEI)  number 

•  Trunk  identifier 

•  Telephone  calling  card  numbers 

While  this  data  can  be  quite  revealing,  without  the  identifying  information  it  only  depicts 
activities  of  a  nonspecific  person. 

On  the  other  hand,  the  NS  A  analysis  of  the  metadata  is  supposed  to  identify 
terrorists.  The  BR  program  is  misleading  in  this  regard  because  its  purpose  is  to  uncover 
the  taetics  used  by  terrorist  organizations  to  disguise  and  obseure  their  identities, 
Thus,  if  the  program  is  successful,  then  it  can  learn  these  tacties  and  potentially  reverse 
them  to  identify  terrorists.  After  all,  that  is  what  the  program  is  designed  to  do:  “analysis 
of  the  BR  metadata  addresses  a  eritical,  threshold  issue  for  the  Government’s  efforts  to 
detect  and  prevent  terrorist  acts  affecting  the  national  seeurity  of  the  United  States: 
identifying  the  terrorists  and  their  associates.” This  stated  objective,  however,  is  how 
the  BR  program  fits  into  overall  counterterrorism  efforts.  The  aetual  purpose  of  the  BR 
program  is  to  determine  if  terrorist  networks  are  communicating  with  anyone  inside  the 
United  States,  but  the  identifieation  proeess  stops  at  the  telephone  identifier  without 
accessing  any  personal  information.  1^2  Subsequent  actions  might  access  personal 
information  to  identify  who  is  using  the  telephone  that  is  communicating  with  terrorists, 
but  that  is  not  done  by  the  NS  A — it  is  done  by  the  EBI  (more  on  the  NS  A  and  EBI 
coordination  will  be  addressed  in  the  Eimited  Dissemination  part  of  the  Privaey 
Safeguards  seetion).  The  data  eollected  and  aceessed  under  the  NSA  BR  program  treads  a 
fine  line  between  ambiguous  and  personal  information.  Without  any  identifiable 
information  to  tie  the  metadata  back  to,  however,  the  NSA  program  does  not  invoke 
privacy  concerns  assoeiated  with  personal  information. 


170  FISC,  Order,  Docket  Number:  BR  08-13,  March  2,  2009,  2. 

171  NSD,  Report  of  the  United  States,  Docket  Number:  BR  09-09,  August  17,  2009,  50. 

172  Ibid.,  50-51. 
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c.  Subjective  and  Reasonable  Expectation  of  Privacy 

Do  Americans  have  a  subjective  expectation  of  privacy  over  their  phone  records 
and  is  society  willing  to  recognize  that  expectation  as  reasonable?  The  Office  of  the 
Director  of  National  Intelligence  (ODNI)  General  Counsel  Robert  Litt  argued  that 
according  to  the  third  party  doctrine,  Americans  do  not  have  a  legally  valid  expectation 
of  privacy  over  the  BR  metadata.  1^3  At  the  same  time,  Litt  recognized  that  changing 
technology  is  influencing  privacy  interests;  Americans  are  giving  away  “massive  amount 
of  information”  about  themselves,  An  important  distinction  is  that  Americans  are  not 
giving  their  information  to  the  government.  Litt  specifically  commented  on  how 
Americans  provide  their  information  to  private  companies  but  do  not  want  the 
government  to  have  this  information,  According  to  the  subjective  and  reasonable 
standards  applied  in  this  thesis,  that  point  demonstrates  intent  by  the  American  people  to 
restrict  the  sharing  of  that  information  with  the  government.  Thus,  a  person  entering  into 
a  contract  with  a  telephone  company  chooses  to  provide  limited  information  to  that 
company  and  not  to  the  government,  thereby  exhibiting  a  subjective  expectation  of 
privacy.  This  expectation  is  also  reasonable  from  a  societal  perspective  because  having  a 
telephone  is  part  of  normal  life,  communicating  is  a  routine  social  interaction,  phones  are 
the  technology  over  which  it  occurs,  and  providing  information  to  a  company  does  not 
equate  to  consent  for  government  surveillance.  Americans  have  an  expectation  of  privacy 
over  BR  metadata. 

d.  First  Amendment  Protected  Activities 

The  final  question  to  answer  is:  does  the  BR  program  collect  or  access 
information  created  during  First  Amendment  protected  activities?  The  answer  is  no. 
While  the  metadata  pertains  to  communications,  which  someone  could  argue  is  protected 


Robert  S.  Litt,  Privacy,  Technology  and  National  Security:  An  Overview  of  Intelligence 
Collection,  Office  of  the  Director  of  National  Intelligence,  (ODNI),  July  19,  2013,  2, 
http://www.dni.gov/index.php/newsroom/speeches-and-interviews/195-speeches-interviews-2Q13/896- 

privacv.-technology-and-national-securitv-an-overview-of-intelligence- 

collection?tmpLcomponent&format=pdf. 

174  Ibid.,  3. 
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under  First  Amendment  freedom  of  speech,  the  program  does  not  collect  content, 
Thus,  the  protected  activity — speech — is  not  the  source  of  information.  Additionally, 
there  are  forceful  restrictions  that  prevent  the  BR  program  from  infringing  on  First 
Amendment  protections.  For  example,  the  government  cannot  determine  that  a  U.S. 
person  is  associated  with  an  international  terrorist  organization  solely  based  on  his  or  her 
First  Amendment  activities,  Collecting  the  BR  metadata  must  be  relevant  to  an 
authorized  investigation,  and  that  investigation  of  potential  ties  between  a  U.S.  person 
and  an  international  terrorist  organization  cannot  solely  be  based  on  First  Amendment 
protected  activities,  Thus,  even  though  speech,  religion,  and  political  expression  fall 
dually  within  the  characteristics  of  terrorism  and  First  Amendment  freedoms,  these 
activities  are  protected.  An  association  with  terrorism  has  to  exist  in  order  for  the 
government  to  investigate,  collect,  and  subsequently  use  the  metadata.  Consequently, 
there  is  no  First  Amendment  privacy  concern  in  the  NSA  BR  program. 

2,  Privacy  Safeguards 

This  section  will  apply  the  method  established  in  Chapter  IV  to  determine  what 
safeguards  the  BR  program  institutes  to  mitigate  privacy  concerns.  It  will  evaluate  the 
following  tools  and  procedures;  privacy  impact  assessment,  limitations  on  dissemination, 
restrictions  on  access,  executive,  congressional,  and  judicial  oversight,  and  mechanisms 
that  enable  auditing  and  make  the  information  anonymous. 

a.  Privacy  Impact  Assessment 

There  is  no  indication  that  the  government  conducted  a  PIA  for  the  BR  metadata 
program.  None  of  the  declassified  documents  by  ODNI  have  yet  to  include  a  PIA.i^o 

NSD,  Report  on  the  National  Security  Agency 's  Bulk  Collection  Programs,  2009,  3,5;  NSD, 

Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2011,  5;  FISC,  Primary  Order,  BR 
13-80,  2013,  3;  FISC,  Order,  BR  06-05,  2006,  2. 

FISC,  Primary  Order,  Docket  Number:  BR  09-13,  September  3,  2009,  8. 

FISC,  Primary  Order,  BR  13-80,  2013,  2. 

Ibid.,  2;  FISC,  Primary  Order,  BR  09-13,  2009,  8. 

1 80  The  declassified  documents  are  announced  and  posted  on  “Press  Releases,”  Office  of  the  Director 
of  National  Intelligence,  http://www.dni.gov/index.php/newsrootn/press-releases.  As  of  February  28,  2014, 
there  has  been  no  release  pertaining  to  a  PIA  of  the  NSA  BR  metadata  program  under  Section  215  of  FISA. 
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While  the  evidence  is  inconclusive,  it  is  likely  that  the  government  never  conducted  a 
PIA  because  of  how  the  program  developed.  In  the  immediate  aftermath  of  9/11, 
President  Bush  used  Executive  authority  to  sanction  the  collection  of  telephone  metadata, 
which  Congress  subsequently  codified  into  law.^^i  Thus,  out  of  emergent  circumstances 
the  program  emerged  and  then  continued  to  expand  to  what  it  is  today. 

b.  Limited  Dissemination 

One  of  the  most  basic  privacy  safeguards  is  to  limit  how  much  of  the  metadata  is 
shared  throughout  the  intelligence  community.  The  BR  program  limits  dissemination  in 
two  ways:  internally  and  externally.  Only  analysts  in  the  NS  A  trained  in  specific 
handling,  dissemination,  and  usage  guidelines  can  see  BR  metadata  query  results  before 
the  information  is  minimized.  ^  minimization  process  governs  the  collection, 

processing,  retention,  and  dissemination  of  information  about  U.S.  persons.  por 
example,  instead  of  using  a  name,  intelligence  can  use  the  term  U.S.  person,  what  this 
means  in  context  to  the  BR  program  is  that  before  any  of  the  approved  analysts  shares  the 
intelligence  with  anyone  else,  they  must  first  transform  some  of  the  data  into  general 
information  that  protects  against  the  possibility  of  anyone  determining  to  whom  the 
information  refers.  For  external  dissemination,  NSA  must  also  minimize  the  results  of 
metadata  queries.!*^  NSA  applies  such  a  strict  interpretation  of  minimization  it  prohibits 
the  sharing  of  the  telephone  number  because  someone  can  use  it  to  identify  who  the 
person  is.  The  result  might  be  an  intelligence  report  that  warns  of  Al-Qaeda 
communicating  with  several  U.S.  persons  within  the  United  States  at  a  higher  frequency 
than  normal  without  specifying  what  telephone  numbers  it  is  calling. 

ODNI,  “DNI  Announces  the  Declassification  of  the  Existence  of  Collection  Activities  Authorized 
by  President  George  W.  Bush  Shortly  After  the  Attacks  of  September  11,  2001,”  press  release,  December 
21,  2013,  http://www.dni.gOv/index.php/newsroom/press-releases/191-press-releases-2013/991-dni- 
announces-the-declassification-of-the-exisitence-of-collection-activities-authorized-bv-president-george-w- 

bush-shortlv-after-the-attacks-of-september-1 1.-2001 . 

182  FISC,  Primary  Order,  BR  13-80,  2013,  12-13. 

1 83  NSA,  U.S.  Signals  Intelligence  Directive  18:  Legal  Compliance  and  Minimization  Procedures, 
revised  January  25,  2011,  41-50. 

184  Ibid.,  48. 

185  FISC,  Primary  Order,  BR  13-80,  2013,  13. 


58 


Exceptions  to  the  minimization  rule  can  occur  if  specific  criteria  are  met.  The 
NSA  cannot  disseminate  un-minimized  information  about  a  U.S.  person  unless  it  is 
neeessary  to  understand  the  value  of  the  foreign  intelligenee,  it  is  evidenee  of  a  erime,  or 
it  “indieates  a  threat  of  death  or  serious  bodily  harm.”i^^  Yet  even  in  these 
eireumstanees,  the  FBI  must  follow  additional  minimization  procedures  for  domestic 
operations  after  it  reeeives  the  intelligenee  from  NSA.  These  exeeptions  are  also  rare. 
Despite  eolleeting  a  eonsiderable  amount  of  metadata,  the  NSA  only  provides  an  average 
of  two  telephone  numbers  per  day  to  the  FBI.  1^9  Overall,  the  most  personal  information 
shared  by  the  BR  program  is  a  very  small  amount  of  telephone  numbers  linked  to 
international  terrorist  organizations. 

c.  Restricted  Access 

While  the  BR  program  eollects  an  immense  amount  of  data,  the  NSA  tightly 
restriets  aeeess  to  the  metadata.  The  only  government  ageney  that  stores  and  aeeesses  the 
information  is  the  NSA.i^o  it  restricts  access  by  applying  unique  markings  to  the 
metadata  so  that  software  ean  eontrol  who  queries  the  data,  Only  those  at  the  NSA 
with  authorization  and  speeifie  training  ean  aeeess  the  information  and  only  for  speeifie 
purposes.  192  First,  there  must  be  a  reasonable,  articulable  suspieion  (RAS)  that  the 
telephone  number  is  associated  with  a  terrorist  organization  on  an  offieial  government  list 
in  order  for  an  analyst  to  query  the  database.  193  Second,  a  query  requires  an  approved 
telephone  number  as  the  seareh  term  and  only  for  the  purpose  of  eall  ehain  analysis.  194 

186  Ibid.,  13. 

18’7  ODNI,  Facts  on  the  Collection  of  Intelligence  Pursuant  to  Section  702  of  the  Foreign  Intelligence 
Surveillance  Act,  June  8,  2013,  2.  http://www.dni.gov/index.php/newsroom/press-releases/191-press- 
releases-201 3/871 -facts-on-the-collection-of-intelligence-pursuant-to-section-702-of-the-foreign- 
intelligence-surveillance-act 

188  FISC,  Primary  Order,  BR  13-80,  2013,  4;  FISC,  Order,  BR  06-05,  2006,  4. 

189  FISC,  Order,  BR  06-05,  2006,  4. 

190  FISC,  Primary  Order,  BR  13-80,  2013,  4. 

191  Ibid.,  4-5. 

192  Ibid.,  5:  FISC,  Order,  BR  06-05,  2006,  5. 

1 93  NSD,  Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  2009,  4. 

194  FISC,  Primary  Order,  BR  13-80,  2013,  6-7. 
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Most  of  these  telephone  numbers  are  on  an  alert  list  reviewed  and  authorized  by  the 
FISC,  195  but  a  select  group  of  twenty-two  officials  can  approve  a  number  if  there  is  RAS 
that  it  connects  to  one  of  the  listed  terrorist  organization.  196  Thus,  it  is  only  when  an 
approved  telephone  number  is  associated  with  an  international  terrorist  organization  that 
one  of  the  few  authorized  and  trained  analysts  can  access  BR  metadata.  As  of  2008,  the 
FISC  limited  that  number  to  a  mere  85  analysts.  197  Access  to  the  data  is  clearly 
restricted. 

d.  Executive  Oversight 

The  DOJ,  ODNI,  and  NSA  mainly  handle  oversight  of  the  BR  program.  The 
coordination  and  reporting  requirements  for  Executive  oversight  is  extensive.  As 
mentioned  above,  the  collection  of  BR  metadata  occurs  by  serving  a  court  order  to  the 
telecommunications  companies.  That  order  is  generally  effective  for  90  days.  During  that 
period,  the  following  types  of  oversight  occur.  First,  representative  from  the  NSA  Office 
of  General  Council  (OGC),  Office  of  the  Director  of  Compliance,  and  DOJ  review  the 
program’s  compliance  with  the  FISC  order  and  submit  their  findings  in  writing  to  the 
court.  198  Second,  every  90  days  DOJ  must  review  a  sample  of  the  queries  made  against 
the  BR  metadata.  199  Third,  every  45  days  the  OGC  reports  to  the  Director  on  the 
effectiveness  of  NSA’s  oversight  of  data  on  U.S.  persons. Fourth,  twice  during  the 
authorized  period  of  collection  the  National  Security  Division  (NSD)  of  DOJ  reviews 
both  the  NSA’s  justifications  for  approving  telephone  identifiers  as  well  as  the  queries 
conducted  against  the  BR  metadata.  20 1  Every  36  days  the  NSA  must  file  a  report  with 


195  Ibid.,  9. 

196  Ibid.,  7,10. 

197  FISC,  Order,  BR  08-13,  2009,  9. 

198  FISC,  Primary  Order,  BR  13-80,  2013,  15;  FISC,  Primary  Order,  BR  09-13,  2009,  17. 
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the  court  that  accounts  for  all  dissemination  of  U.S.  person  data  in  any  form  outside  the 
NS  A  that  occurred  since  the  last  report.  202 

An  obvious  criticism  is  that  since  the  same  branch  of  government  running  a  secret 
program  is  also  reviewing  its  compliance  with  legal  requirements,  the  oversight  is  likely 
just  a  rubber  stamp.  The  available  record,  however,  indicates  otherwise.  For  examples, 
when  a  DOJ  and  NS  A  review  discovered  a  compliance  issue  they  immediately  informed 
the  FISC  as  well  as  the  intelligence  committees  in  Congress  and  the  Director  of  NSA 
initiated  a  comprehensive  review  of  the  program.  203  xhe  problems  generally  related  to  a 
few  instances  where  unauthorized  NSA  analysts  received  un-minimized  BR  metadata 
reports  and  technical  issues  that  resulted  in  broad  the  dissemination  of  similar 
information. 204  xhe  causes  of  the  compliance  issues  were  related  to  technical  errors  in 
the  software  and  operator  mistakes,  205  but  these  were  subsequently  remedied.  The  self- 
identification  of  the  compliance  problem  and  immediate  reporting  of  the  issues  to  the 
other  oversight  bodies  demonstrates  a  persistent  Executive  oversight  program. 

e.  Congressional  Oversight 

Members  of  the  Senate  Select  Committee  on  Intelligence  (SSCI)  and  the  House 
Permanent  Select  Committee  on  Intelligence  (HPSCI)  have  stated  that  they  were  aware  of 
the  BR  program. 206  yjot  only  were  the  committee  members  aware,  but  so  were  other 
members  of  Congress. 207  xhe  Executive  branch  also  claimed  to  regularly  inform 
Congress,  which  is  supported  by  declassified  letters  from  the  DOJ  to  the  SSCI  and 
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HPSCI  about  the  BR  metadata  program. 208  xhe  DOJ  also  provides  annual  reports  to  the 
SSCI  and  HPSCI  on  the  BR  metadata  program.209  Moreover,  Congress  extended  the 
powers  of  the  surveillance  program  under  the  FISA  Amendments  Act  of  2008  and 
reauthorized  these  authorities  in  2012.210  While  there  may  have  been  disagreements 
regarding  the  BR  metadata  program,  Congress  was  informed  and  made  decisions  that 
affected  the  program.  It  conducted  oversight. 

f.  Judicial  Oversight 

The  FISC  has  the  authority  to  determine  and  enforce  the  BR  metadata  program’s 
compliance  with  its  orders  and  the  law.^n  At  times,  this  oversight  is  administrative  in 
nature  such  as  when  it  reviews  the  NS  A,  DOJ,  and  ODNI  reports  or  approves  telephone 
numbers  that  can  be  used  to  access  the  BR  metadata.212  Other  times,  the  oversight  is 
fierce.  For  example,  although  the  FISC  determined  that  there  were  no  intentional  or  bad- 
faith  violations  of  its  orders  during  the  compliance  issues, 213  it  nonetheless  held  the  NSA 
accountable  for  the  problems.  At  one  point,  the  FISC  ordered  the  government  to  complete 
and  provide  the  results  of  an  end-to-end  system  review  of  the  program,  provide  an 
affidavit  that  describes  the  value  of  the  metadata  to  national  security,  demonstrate  that  the 
metadata  are  for  authorized  investigations,  submit  an  affidavit  stating  that  the 
technological  remedies  have  been  tested  and  are  successful,  and  explain  additional 


208  The  Attorney  General ’s  Annual  Report  on  Access  to  Certain  Business  Records  for  Foreign 
Intelligence  Purposes  Under  the  Foreign  Intelligence  Surveillance  Act,  April  2011;  NSD,  The  Attorney 
General 's  Annual  Report  on  Access  to  Certain  Business  Records  for  Foreign  Intelligence  Purposes  Under 
the  Foreign  Intelligence  Surveillance  Act,  April  2012. 

209  NSD,  Report  on  the  National  Security  Agency 's  Bulk  Collection  Programs  2009,  4;  NSD,  Report 
on  the  National  Security  Agency ’s  Bulk  Collection  Programs,  201 1,  4;  ODNI,  Facts  on  the  Collection  of 
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drafl-document. 
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remedial  steps  the  government  will  take.^i^  The  eourt  required  these  steps  to  restore  its 
eonfidenee  in  the  government’s  ability  to  proteet  information  about  U.S.  persons.  Until 
this  oeeurred,  the  FISC  approved  BR  metadata  eolleetion  on  a  ease-by-ease  basis  instead 
of  the  usual  bulk  method.^i^  The  FISC  also  ordered  the  government  to  explain  the 
eomplianee  ineidents  in  full  and  provide  supporting  doeumentation  so  the  eourt  ean 
determine  if  it  should  modify  or  reseind  the  order,  direet  additional  remedial  steps,  or 
take  legal  aetion  against  the  people  responsible  for  the  misrepresentations  or  violations  of 
the  order.  216  These  examples  demonstrate  that  not  only  is  there  Judieial  oversight  of  the 
BR  metadata  program,  but  that  role  provides  an  important  safeguard  against  the  privaey 
eoneems  inherent  in  the  program. 

g.  Auditing  Access  to  Personal  Information 

Under  the  BR  metadata  program,  any  of  the  metadata  that  eoneerns  a  U.S.  person 
is  “subjeet  to  striet  and  frequent  audit  and  reporting  requirements. ”2 12  For  example, 
every  time  that  an  unapproved  telephone  number  is  used  to  query  the  metadata,  a  reeord 
is  generated.  218  in  addition,  every  time  someone  aeeesses  the  metadata,  the  system 
automatieally  ereates  an  auditable  reeord  that  ineludes  the  user’s  login  identifier,  IP 
address  from  whieh  the  request  generated,  date  and  time  of  the  query,  and  the  speeifie 
seareh  request.  2 19  Thus,  there  is  striet  auditing  of  who  aeeesses  the  metadata  and  how  it 
is  used,  the  results  of  whieh  are  ineluded  in  the  Exeeutive  and  Judieial  oversight 

reports.  220 
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h.  Information  Is  Anonymous 

The  information  is  anonymous  at  collection  because  of  the  prohibition  on 
collecting  names  or  addresses.  221  Additionally,  the  telephone  number  is  treated  as 
personal  information  and  is  protected  as  such.  Even  if  a  telephone  number  belonging  to  a 
U.S.  person  is  affiliated  with  an  international  terrorist  organization,  that  telephone 
number  is  still  treated  in  accordance  with  the  minimization  procedures  that  protect  the 
personal  information  of  U.S.  persons.  222  The  BR  metadata  is  anonymous  information. 

B,  COMPREHENSIVE  ASSESSMENT 

The  next  step  in  the  measuring  process  contextualizes  the  overall  concerns  raised 
by  the  BR  program,  identifies  any  deficiencies  in  the  safeguards,  and  assesses  what  has 
the  most  negative  impact  on  the  overall  privacy  costs.  This  comprehensive  assessment 
will  attempt  to  answer  the  questions:  what  are  the  privacy  costs  and  are  these  costs 
acceptable?  The  overall  privacy  concern  is  that  the  BR  metadata  program  collects 
substantial  amounts  of  data  on  Americans  that  falls  under  an  expectation  of  privacy. 
While  there  are  strong  safeguards  in  place  to  protect  against  abuses,  the  primary  shortfall 
is  that  no  PIA  was  conducted.  In  order  to  be  most  effective,  safeguards  must  address 
anticipated  privacy  issues.  Without  a  PIA,  however,  there  was  insufficient  insight  into 
what  these  problems  could  be  and,  consequently,  many  issues  that  could  have  possibly 
been  addressed  at  the  outset  of  the  program  were  not.  Without  a  PIA,  there  is  an 
increased  chance  that  privacy  problems  will  arise.  The  compliance  issues  with  the  BR 
metadata  program  thus  far  have  proven  this  negative  effect  to  be  true.  Example  problems 
include  analysts  being  able  to  query  the  data  without  a  RAS-approved  telephone  number, 
a  software  tool  could  override  the  limit  on  how  many  numbers  the  call  chain  analysis 
could  search,  and  the  CIA,  EBI,  and  National  Counterterrorism  Center  (NCTC)  could 


221nSD,  Report  on  the  National  Security  Agency’s  Bulk  Collection  Programs,  2009,  3,5;  NSD,  Report 
on  the  National  Security  Agency’s  Bulk  Collection  Programs,  201 1,  5;  FISC,  Primary  Order,  BR  13-80, 
2013,  3;  FISC,  Order,  BR  06-05,  2006,  2. 

222  FISC,  Primary  Order,  13-80,  2013,  13;  NSD,  Report  on  the  National  Security  Agency’s  Bulk 
Collection  Programs,  2009,  2;  NSD,  Report  on  the  National  Security  Agency ’s  Bulk  Collection  Programs, 
201 1,  5;  FISC,  Order,  BR  06-05,  2006,  6. 
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access  un-minimized  information  about  U.S.  persons. 223  A  PIA  eould  have  potentially 
identified  these  problem  areas  and  the  government  could  have  implemented  safeguards 
before  the  compliance  issues  oceurred. 

A  vast  majority  of  the  BR  metadata  the  NS  A  eolleets  is  irrelevant  to  FBI 
investigations  yet  pertains  to  the  eommunications  of  U.S.  persons  within  the  United 
States. 224  Does  this  praetiee  fall  within  the  tolerance  of  the  American  people?  To  assess 
whether  or  not  the  program  is  aceeptable  requires  a  comparison  of  the  seope  of 
colleetion,  aeeess,  and  use  of  the  information  with  publie  opinion.  There  is  no  publicly 
available  information  on  how  mueh  of  the  U.S.  person  metadata  the  NSA  accesses.  There 
is,  however,  information  related  to  the  scope  of  eolleetion  and  the  use  of  metadata. 

There  is  no  eseaping  that  the  amount  of  metadata  eollected  under  the  BR  program 
is  substantial.  As  of  2014,  the  number  of  American  adults  with  cell  phones  was  at  91 
pereent  of  the  population. 225  if  the  NSA  eolleeted  against  every  device  in  the  United 
States,  the  program  would  affeet  223  million  Ameriean  adults. 226  Due  to  eapability 
limitations,  the  reeent  scope  of  eolleetion  turns  out  to  be  much  less  than  eomplete 
eoverage.  Aeeording  to  multiple  reports,  the  NSA  is  only  colleeting  between  20  and  30 
pereent  of  the  overall  eall  records  in  the  United  States.  227  Americans  own  more  than  one 
deviee  on  average,  which  means  20  to  30  percent  of  call  records  affects  between  roughly 
45  and  68  million  Amerioans.228  Baek  to  the  original  question  of  aeeeptability,  where  do 


223  NSD,  Report  of  the  United  States,  BR  09-09,  2009,  56-58;  Litt,  Privacy,  Technology  and  National 
Security,  1. 

224  FISC,  Supplemental  Opinion,  BR  09-15,  2009,  5. 

225  “Mobile  Technology  Fact  Sheet,”  Pew  Research  Center,  December  27,  2013, 
http://www.pewintemet.org/fact-sheets/mobile-technologv-fact-sheet/. 

226  Bureau  of  the  Census,  National  Population  Projections,  2008  (Washington,  DC:  Government 
Printing  Office,  2012),  table  2. 

227  Ellen  Nakashima,  “NSA  Is  Collecting  Less  than  30  Percent  of  U.S.  Call  Data,  Officials  Say,” 
Washington  Post,  accessed  March  5,  2014,  http://www.washingtonpost.com/world/national-securitv/nsa-is- 
collecting-less-than-30-percent-of-us-call-data-ofFicials-sav/2014/02/07/234a0e9e-8fad-lle3-b46a- 

5a3dQd2130da  storv.html:  Siobhan  Gorman,  “NSA  Collects  20%  or  Less  of  U.S.  Call  Data,”  Wall  Street 
Journal,  Febmary  7,  2014, 

http://online.wsi.eom/news/articles/SB10001424052702304680904579368831632834004. 

228  “Global  Mobile  Statistics  2013  Part  A:  Mobile  subscribers;  handset  market  share;  mobile 
operators,”  mobiThinking,  June  2013,  http://mobithinking.com/mobile-marketing-tools/latest-mobile- 
stats/a#uniquesubscribers;  Bureau  of  the  Census,  National  Population  Projections,  table  2. 
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these  eollection  numbers  fall  in  relation  to  the  public’s  tolerance  of  the  NS  A  program? 
The  most  recent  number  that  specifically  measures  the  acceptability  of  telephone  tracking 
shows  that  56  percent  of  the  population  approve  of  the  intelligence  method.  ^29  if  the 
government  collected  all  phone  data,  it  would  clearly  be  beyond  the  threshold  of  the 
American  public  (Figure  9).  At  a  decreased  capacity,  however,  it  could  be  tolerable  if  the 
limited  scope  was  intentional.  Being  that  the  decreased  collection  is  due  to  technical 
limitations  and  not  an  inherent  restriction  on  the  BR  program,  the  intended  scope  of  the 
metadata  collection  is  beyond  public  tolerance  and  therefore  increases  the  subjective 
privacy  concerns  associated  with  the  program. 


Scope  of  Collection  and  Public  Tolerance 
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Figure  9.  Scope  of  Collection  and  Public  Tolerance 


How  much  metadata  the  government  uses  provides  a  different  conclusion  about 
acceptability.  The  usage  numbers  are  miniscule.  Between  2006  and  2009,  the  NSA 
provided  the  FBI  with  an  average  of  853  telephone  numbers  per  year. 230  While  the 
program  accessed  more  numbers  through  call  chaining,  usage  is  limited  to  the  amount  of 

229  “Majority  Views  NSA  Phone  Tracking  as  Acceptable  Anti-terror  Tactic,”  Pew  Research  Center, 
June  10,  2013,  http://www.people-press.org/2013/06/10/maioritv-views-nsa-phone-tracking-as-acceptable- 
anti-terror-tactic/. 

230  FISC,  Order,  BR  08-13,  2009,  13. 
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telephone  numbers  passed  to  the  FBI  for  a  counterterrorism  investigation.  In  essence,  the 
comparison  is  between  how  many  Americans  the  government  collects  on  and  how  many 
of  these  Americans  it  investigates  under  the  authority  to  prosecute.  If  the  NSA  collected 
on  every  American  with  a  cell  phone,  only  0.00026  percent  of  these  people  would  have 
their  number  passed  to  the  FBI.  If  the  NSA  were  collecting  the  lesser  30  percent  of 
calling  data,  then  it  would  still  only  affect  0.00085  percent  of  the  people.  This  is  well 
below  the  public  tolerance  reflected  in  public  opinion  (Figure  10).  Moreover,  since  the 
telephone  numbers  investigated  and  passed  on  to  the  FBI  are  reasonably  believe  to  be 
associated  with  a  known  terrorist  organization,  the  chances  that  a  law  abiding  citizen’s 
telephone  number  is  affected  is  even  less.  The  amount  of  telephone  numbers  used  by  the 
government  is  subjectively  acceptable.  Consequently,  the  overall  subjective  analysis 
reveals  that  scope  is  well  beyond  public  tolerance  but  the  extremely  limited  amount  of 
metadata  used  by  the  government  is  within  the  acceptable  range,  so  long  as  the 
safeguards  for  access  and  dissemination  are  effective. 
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c. 


CHANGES  TO  THE  BR  METADATA  PROGRAM 


In  January  2014,  President  Obama  announced  several  changes  to  intelligence 
programs,  which  specifically  included  the  NS  A  BR  metadata  program.  23 1  The  purpose 
of  the  reforms  is  to  better  protect  privacy  without  degrading  the  effectiveness 
intelligence.  232  in  order  to  accomplish  this,  however,  the  changes  would  need  to  address 
the  issues  raised  in  this  chapter.  It  is  therefore  informative  to  review  what  effect,  if  any, 
there  will  be  on  the  BR  metadata  privacy  concerns  and  safeguards. 

The  new  Presidential  Policy  Directive-28  (PPD-28)  established  new  limits  on  the 
use  of  SIGINT  that  is  collected  in  bulk,  but  the  approved  list  of  justifications  includes  the 
terrorism  nexus  originally  required  in  the  BR  program. 233  Similarly,  the  dissemination, 
retention,  access,  and  oversight  requirements  in  PPD-28  do  not  change  the  BR  metadata 
safeguards  already  in-place  for  information  related  to  U.S.  persons. 234  The  scope  of 
collection  will  also  effectively  be  the  same.  While  the  reforms  call  for  external  storage  of 
the  BR  metadata  outside  of  the  government’s  control,235  collecting  the  data  will  still  be  in 
bulk  and  pursuant  to  FISC  orders  based  on  an  authorized  investigation,  which  is  how  the 
program  already  operates. 236 

The  new  requirements  do  create  additional  restrictions  on  access.  Through  a 
software  program,  contact  chaining  can  access  a  U.S.  person’s  metadata  even  if  an  NSA 
analyst  never  sees  that  U.S.  person’s  telephone  number.  Previously,  the  program  was 
permitted  to  pursue  telephone  identifiers  three  steps  removed  from  the  one  used  to  search 


231  White  House,  Office  of  the  Press  Secretary,  “FACT  SHEET:  Review  of  U.S.  Signals 
Intelligence,”  news  release,  January  17,  2014,  http://www.whitehouse.gov/the-press- 
office/20 14/01/1 7/fact-sheet-re  vie  w-us-si  gnals-intelli  gence . 

232  Ibid. 

233  Barrack  Obama,  Presidential  Policy  Directive  (PPD)-28,  “Signals  Intelligence  Activities,”  January 
17,  2014,  3-4. 

234  Ibid.,  5-6. 

235  Office  of  the  Press  Secretary,  “FACT  SHEET.” 

236  Office  of  the  Press  Secretary,  “Remarks  by  the  President  on  Review  of  Signals  Intelligence,”  news 
release,  January  17,  2014,  http://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president- 

re  vie  w-si  gnals-intelli  gence . 


68 


the  data,  but  the  reforms  decrease  the  threshold  to  two  steps  removed. 237  Tighter  access 
restrictions,  however,  were  not  a  major  problem  with  the  BR  metadata  program.  Thus, 
while  it  does  improve  a  privacy  safeguard,  the  change  is  unsubstantial.  The  reforms  also 
seek  to  establish  a  body  of  independent  advocates  to  participate  in  significant  FISC 
cases, 238  but  the  outcome  is  the  same  as  that  for  improving  limitations  on  access:  the 
effect  on  privacy  costs  may  very  well  be  beneficial,  but  it  does  not  address  the  core 
privacy  issues  in  the  BR  program. 

Interestingly,  the  President’s  Review  Group  on  Intelligence  and  Communications 
Technologies  provided  a  recommendation  that  would  have  addressed  the  major  privacy 
concerns  of  the  BR  metadata  program.  Tasked  with  surveying  the  broad  intelligence 
apparatus  of  the  U.S.  government  and  to  recommend  changes,  the  group  specifically 
stated  that  the  government  should  conduct  privacy  and  civil  liberties  impact  assessments 
not  just  on  future  programs,  but  on  those  currently  in  existence.  239  There  is  yet  to  be  any 
indication  that  the  government  will  conduct  a  PIA  of  the  BR  metadata  program. 
Consequently,  new  and  old  safeguards  will  continue  to  respond  to  infringements  instead 
of  preempting  privacy  violations  by  focusing  efforts  on  identifiable  areas  of  concern.  In 
effect,  that  is  what  is  occurring  through  this  iteration  of  reforms.  While  the  intention  to 
protect  privacy  is  genuine,  these  changes  will  not  decrease  the  privacy  costs  associated 
with  the  BR  program. 


237  Office  of  the  Press  Secretary,  “FACT  SHEET.” 

238  Office  of  the  Press  Secretary,  “Remarks  by  the  President.” 

23971^5  President’s  Review  Group  on  Intelligence  and  Communications  Technologies,  Liberty  and 
Security  in  a  Changing  World,  December  12,  2013,  38-39. 
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NSA  BR  Metadata  Program 


Primary  Assessment 
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Comprehensive  Assessment 

Overall  Concerns: 

The  BR  program  coUeets  substantial  amounts  of  data  that  are  under  an  expectation  of  privacy. 

Shoitfalls: 

The  primary  shortfall  is  that  there  is  no  indication  the  government  conducted  a  Privacy  Impact 
Assessment  (PIA). 

Most  Negative  Effect: 

The  absence  of  a  PIA  has  a  substantial  negative  effect.  Other  safeguards  respond  to  privacy  issues 
as  they  occur,  but  with  a  PIA  many  issues  can  be  understood  and  resolved  prior  to  the  occurrence 
of  a  violation.  Consequently,  without  the  PIA  there  is  an  increased  chance  that  privacy  problems  will 
arise. 

Figure  1 1 .  Privacy  Costs  of  BR  Metadata  Program-Part  1 
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Indicators  of  Acceptability 
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Figure  12.  Privacy  Costs  of  BR  Metadata  Program-Part  2 
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VI.  CONCLUSIONS  AND  IMPLICATIONS 


A.  SYNOPSIS 

Chapter  I  laid  out  the  core  arguments  in  the  security  versus  liberty  debate  and 
identified  the  shortcomings  with  each.  Even  for  the  most  practical  approach,  the 
balancing  act,  there  was  a  fundamental  flaw:  we  could  measure  the  security  side  of  the 
scale,  but  lacked  any  meaningful  framework  to  measure  the  costs  to  privacy,  which 
represents  the  liberty  side  of  the  scale.  The  chapter  proposed  two  issues  to  investigate  in 
order  to  identify  key  indicators  for  measuring  privacy  costs.  First  was  the  expectation 
Americans  have  for  government  behavior  in  domestic  intelligence  programs,  which  the 
thesis  addressed  in  Chapter  II.  Second  was  the  expectation  Americans  have  for  privacy 
discussed  in  Chapter  III. 

Chapter  II  conducted  an  historical  and  comparative  analysis  of  Cold  War-era 
domestic  surveillance  programs  and  the  Pentagon’s  attempt  at  TIA  in  the  aftermath  of 
9/11.  Both  of  these  cases  were  quite  informative  about  what  Americans  expect  for 
government  behavior.  The  analysis  in  Chapter  II  identified  the  following  key  elements 
for  measuring  privacy  costs: 

•  Does  the  program  collect  or  access  personal  information? 

•  Is  the  collected  or  accessed  information  used  for  other  than  the  originally 
intended  purpose? 

•  Is  the  collected  or  accessed  information  derived  from  activities  protected 
under  the  First  Amendment? 

•  Did  the  responsible  parties  conduct  a  PIA? 

•  Is  the  dissemination  of  intelligence  products  derived  from  personal 
information  limited? 

•  Is  the  access  to  personal  information  restricted? 

•  Is  the  program  subject  to  Executive  oversight? 

•  Is  the  program  subject  to  Congressional  oversight? 

•  Is  the  program  subject  to  Judicial  oversight? 

•  Do  accountability  mechanisms  enable  the  auditing  of  access  to  and  use  of 
personal  information? 
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•  Is  the  information  made  anonymous? 

In  Chapter  II,  it  became  clear  that  the  type,  use,  and  protection  of  U.S.  persons’ 
information  contribute  to  a  program’s  privacy  costs. 

Chapter  III  addressed  a  more  fundamental  issue:  to  determine  where  Americans 
have  a  legitimate  privacy  interest  against  which  to  assess  privacy  costs.  The  chapter 
argued  that  the  1970s  interpretations  of  privacy  are  outdated.  It  demonstrated  this  by 
detailing  the  evolution  of  routine  societal  behaviors  in  the  digital  era,  the  increase  in  the 
number  of  parties  that  participate  in  standard  social  interactions,  how  there  is  more 
information  being  generated  in  modem  times,  and  how  that  information  is  becoming 
extremely  detailed  and  personal.  This  thesis  accepts  the  twofold  subjective  and 
reasonable  expectations  of  privacy  established  in  Katz,  but  argues  that  contemporary 
society  requires  new  interpretations  of  these  standards  in  order  to  maintain  the  same  level 
of  privacy  intended  by  the  framers  of  the  Constitution.  Chapter  III  concluded  that  a 
person  exhibits  a  subjective  expectation  of  privacy  by  deliberately  limiting  the  value  and 
quantity  of  the  objects,  activities,  or  statements  he  or  she  shares  with  others  and  by 
restricting  the  number  of  people  with  whom  he  or  she  shares  these  things.  Second,  a 
reasonable  expectation  of  privacy  includes  the  pervasiveness  of  technology  in  society, 
particularly  in  regards  to  conducting  routine  social  behaviors,  surreptitious  collection  of 
personal  information,  and  the  level  of  detail  in  business  records.  That  is,  society  is  not 
willing  to  concede  privacy  interests  despite  the  seeming  erosion  of  personal  privacy.  In  a 
free  and  open  society,  it  is  reasonable  to  expect  that  information  shared  with  a  company 
or  another  individual  will  not  be  shared  with  the  government.  After  all,  that  is  the  intent 
of  Fourth  Amendment  privacy  protections. 

Chapter  IV  transforms  the  lessons  in  Chapter  II  and  III  into  a  model  for  measuring 
privacy  costs.  The  model  comprises  two  types  of  assessments.  First  is  the  primary 
assessment,  which  focuses  on  establishing  whether  or  not  certain  privacy  concerns  apply 
to  an  intelligence  program  and  whether  safeguards  are  in  place  to  minimize — but  not 
negate — those  privacy  concerns.  Second,  the  comprehensive  assessment  identifies  the 
overall  privacy  concerns,  shortfalls  in  privacy  safeguards,  and  what  part  of  the  program 
has  the  most  negative  effect  on  privacy  costs.  The  comprehensive  assessment  also  applies 

74 


a  subjective  review  of  the  program’s  acceptability.  While  recognizing  that  public  opinion 
is  not  an  absolute  determinant  for  what  an  intelligence  program  ought  to  do  or  avoid,  it 
can  nonetheless  be  a  useful  data  point  on  the  public’s  subjective  tolerance  of  a  particular 
intelligence  program  or  practice.  The  template  for  this  model  is  in  Figure  8  and  examples 
are  in  Figures  1 1  and  12. 

Chapter  V  measured  the  privacy  costs  of  the  NS  A  BR  metadata  program 
according  to  the  model.  The  analysis  was  revealing.  While  the  public  discourse  since 
June  2013  until  the  reforms  in  January  2014  alluded  to  unacceptably  high  privacy  costs, 
the  alternative  turned  out  to  be  true.  The  NSA  program  invoked  few  of  the  privacy 
concerns  and  had  markedly  effective  and  overlapping  privacy  safeguards.  Moreover, 
while  collection  was  unquestionably  extensive,  the  telephone  information  used  and 
passed  to  the  FBI  for  investigative  purposes  affected  a  mere  0.00026  percent  of  the 
people  whose  information  was  collected  by  the  program.  As  it  turned  out,  the  factor  with 
the  most  negative  effect  on  privacy  costs  was  the  absence  of  a  PIA.  Consequently,  there 
have  been  compliance  issues  in  the  NSA  program  caused  by  technological  and  human 
errors  that  potentially  could  have  been  avoided.  To  minimize  the  privacy  costs  of  the 
NSA  BR  program,  the  government  would  need  to  give  adequate  attention  to  this  factor. 
Upon  review  of  the  2014  intelligence  reforms,  there  is  no  indication  that  one  will  be 
conducted.  Additionally,  the  Chapter  V  analysis  revealed  that  the  reforms  will  produce  no 
substantive  improvements  to  the  privacy  costs  of  the  BR  metadata  program.  The  reforms 
attempted  to  balance  security  and  liberty  by  keeping  a  necessary  program  while  altering 
some  of  the  privacy  practices.  In  the  end,  however,  the  balance  essentially  remained  the 
same.  The  experience  of  the  NSA  program  illuminates  the  futility  of  balancing  security 
and  liberty  with  one  side  of  the  scale  empty. 

B,  IMPLICATIONS 

With  a  method  for  measuring  privacy  costs  now  established,  many  ongoing 
domestic  intelligence  programs  that  affect  Americans’  privacy  require  a  re-striking  of  the 
balance  between  security  and  liberty.  The  FBI’s  Terrorist  Watch  List  is  one  example.  As 
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of  2011,  the  list  included  420,000  individuals. 240  To  place  someone  on  the  list  usually 
requires  a  preliminary  terrorism  investigation,  but  there  are  exceptions  to  this  minimum 
standard.  241  This  implies  that  the  government  can  place  Americans  on  the  list  for  reasons 
other  than  a  demonstrable  connection  to  terrorism.  Additionally,  the  government  is 
supposed  to  remove  a  person  from  the  Terrorist  Watch  List  if  there  is  insufficient 
justification  for  keeping  him  or  her  on  the  list,  or  if  there  is  no  active  terrorism 
investigation  on  that  person.  242  An  IG  report  revealed  that  the  average  time  it  took  the 
FBI  to  remove  a  name  off  the  list  was  1,112  days. 243  This  implies  that  there  could  be 
Americans  on  the  Terrorist  Watch  List  that  are  not  supposed  to  be,  and  whose  privacy  is 
being  violated  as  a  result.  On  the  other  hand,  the  Terrorist  Identities  Datamart 
Environment  (TIDE)  database  had  an  increase  in  the  total  number  of  terrorist  identifiers 
between  2011  and  2012  while  having  a  simultaneous  decrease  in  the  number  of 
Americans  in  that  database. 244  Since  the  NCTC  uses  TIDE  to  nominate  people  to  the 
Terrorist  Watch  List,  the  decrease  of  Americans  in  the  database  could  indicate  an 
increase  in  privacy  protections  for  Americans  in  TIDE  and,  by  extension,  the  watch  list. 
The  FBI  also  has  a  redress  procedure  through  which  a  person  can  challenge  his  or  her 
inclusion  on  the  watch  list;  245  however,  this  mitigates  concerns  only  in  so  far  it 
potentially  corrects  the  government’s  infringement  on  that  specific  person’s  privacy. 


240  “Terrorist  Screening  Center,”  Ten  Years  After:  The  FBI  Since  9/11,  FBI,  September  2011, 
http://www.fbi.gov/about-us/ten-vears-after-the-fbi-since-9-l  1/iust-the-facts-l/terrorist-screening-center. 

241  U.S.  Department  of  Justice,  Office  of  the  Inspector  General,  Audit  Division,  The  Federal  Bureau 
of  Investigation ’s  Terrorist  Watchlist  Nomination  Practices,  Audit  Report  09-25,  May  2009,  ii.,55. 

242  Ibid.,  ii.,55. 

243  Ibid.,  55. 

244  Sharing  and  Analyzing  Information  to  Prevent  Terrorism:  Hearing  Before  the  House  Committee 
on  the  Judiciary,  1 1 1th  Cong.  (March  24,  2010)  (statement  of  Timothy  J.  Healy,  Director,  Terrorist 
Screening  Center,  Federal  Bureau  of  Investigation);  ODNI,  National  Counterterrorism  Center  (NCTC), 
TIDE  Fact  Sheet,  accessed  February  28,  2014  and  July  16,  2013, 
http://www.nctc.gov/docs/Tide  Fact  Sheet.pdf 

245  Five  Years  after  the  Intelligence  Reform  and  Terrorism  Prevention  Act:  Stopping  Terrorist  Travel: 
Hearing  Before  Senate  Committee  on  Homeland  Security  and  Governmental  Affairs,  1 1 1th  Cong. 
(December  9,  2009)  (statement  of  Timothy  J.  Healy,  Director,  Terrorist  Screening  Center,  Federal  Bureau 
of  Investigation). 
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Notably,  the  FBI  has  improved  on  the  issues  addressed  by  the  IG  report.  246  These 
changes  will  not  necessarily  make  the  privacy  costs  tolerable.  To  determine  the  adequacy 
of  the  balance  between  security  and  liberty  of  the  Terrorist  Watch  List  requires  an  overall 
analysis  of  the  privacy  costs.  Perhaps  measuring  these  costs  will  identify  areas  for  reform 
or  perhaps  the  costs  will  be  accepted  for  what  they  are.  Either  way,  we  cannot  say  that  its 
security  interest  is  accurately  balanced  against  the  privacy  costs  until  that  happens. 

Similar  to  the  NS  A  BR  metadata  program,  the  National  Security  Letters  (NSLs) 
and  the  FISA  702  programs  were  also  targets  of  the  2014  intelligence  reforms. 247 
Whether  those  changes  will  substantively  mitigate  privacy  concerns  requires  a  full 
understanding  of  the  privacy  costs.  Will  allowing  companies  to  provide  information 
about  how  many  times  they  receive  NSLs  nullify  the  privacy  concerns  that  exist?  Is 
protecting  incidental  collection  of  U.S.  person  information  that  occurs  in  the  FISA  702 
program  worth  a  possible  decrease  in  intelligence  efficiency?  In  the  end,  the  presence  of 
privacy  costs  does  not  always  necessitate  reforms.  Changes  that  significantly  affect  how  a 
program  operates  or  that  potentially  decrease  its  effectiveness  in  the  name  of  privacy 
concerns  are  not  always  desirable.  Part  of  the  nature  of  costs  is  what  we  are  willing  to 
give  up  in  one  area  in  order  to  gain  in  another.  It  is  about  the  tough  decision  society  must 
make:  are  the  losses  here  worth  the  gains  elsewhere?  Sometimes  the  privacy  costs  will 
simply  capture  what  the  balance  requires;  it  will  reflect  what  privacy  infringements  must 
occur  through  an  intelligence  program  in  order  to  benefit  security.  Indeed,  that  is  the 
debate  to  have  and  with  a  way  to  measure  privacy  costs,  that  is  where  this  conversation 
goes  next. 

C.  CONCLUDING  REMARKS 

Although  this  thesis  argues  for  how  best  to  account  for  privacy  costs,  which 
includes  scrutinizing  intelligence  programs,  it  is  not  an  argument  for  privacy  over 
security.  Making  an  argument  for  what  privacy  considerations  must  be  taken  into  account 

246  U.S.  Department  of  Justice,  Office  of  the  Attorney  General,  Performance  and  Accountability 
Report,  Appendix  C:  Office  of  the  Inspector  General  (IG)  Follow-Up  Audit  of  the  DOJ  Internal  Controls 
over  Reporting  of  Terrorism-Related  Statistics,  2012,  C1-C2. 

247  Office  of  the  Press  Secretary,  “FACT  SHEET.” 
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is  not  to  deny  that  the  government  might  have  a  valid  need  to  infringe  on  privaey- 
proteeted  areas.  It  is  simply  to  get  to  the  end  state:  these  are  the  privaey  eosts  of  earrying 
out  the  intelligence  program. 

The  legitimacy  of  an  intelligence  program  is  inherently  tied  to  how  well  it 
upholds  Constitutional  values  while  pursuing  security  threats.  This  occurs  through 
striking  the  right  balance  between  security  and  liberty.  Measuring  the  privacy  costs  of  a 
program  is  the  requisite  first  step  in  reforming  a  program  to  decrease  unnecessary  costs, 
and  the  final  step  before  posing  the  question  to  society  of  whether  the  overall  privacy  cost 
is  worth  the  security  benefit  it  promises. 
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